loading...
Cover image for Automate your node dependency updates

Automate your node dependency updates

dennismphil profile image Dennis Mathew Philip ・3 min read

A reasonably large Node application will have 100's of dependencies. Keeping them all updated is a 🧹chore a developer needs to perform at some point. Either you ignore the dependency updates until you are stuck with a very old set of dependencies hindering your progress with 🦹‍♂️ security vulnerabilities or you spend your valuable application development time manually testing out the updates on a reasonable cadence.

Let's see how to automate this process in an enterprise environment assuming you have some kind of CI/CD environment and a private GitHub repo.

🥒 Ingredients

  1. Solid unit tests for your code. Bonus points if you have end to end tests and snapshot tests for UI components
  2. next-update An npm package which tests whether your dependencies can be updated without breaking the tests.
  3. hub CLI This is a command-line application from Git"Hub" which can interact with your GitHub repo. hub is exactly similar to git CLI and a drop-in replacement but has added features to interact with GitHub. Handy to open a Pull Request after the update operation.

📝 Recipe

  • npm install next-update --save-dev
    Install next-update as a dev-dependency.

  • Configure an npm script dep:update in your package.json scripts section

    // package.json
    {
      "name": "a-sample-node-project",
      "version": "0.0.1",
      "description": "A sample node project",
      "scripts": {
        "test": "jest",
        "start": "node app.js",
        "dep:update": "next-update" // Configure an npm script
      },
      "devDependencies": {
        "next-update": "^3.6.0"
      },
      "dependencies": {
      },
    }
    
  • npm run dep:update
    Run the script. next-update will go ahead and find all new packages. Updates them in sequence and keep the update if your tests pass.

  • Download and install the hub cli

    # download-hub.sh
    HUB_CLI=/opt/hub-linux/bin/hub
    
    if [[ ! -f $HUB_CLI ]]; then
       wget https://github.com/github/hub/releases/download/v2.12.2/hub-linux-amd64-2.12.2.tgz 
       tar zxvf hub-linux-amd64-2.12.2.tgz 
       rm -rf hub-linux-amd64-2.12.2.tgz /opt/hub-linux
       mv hub-linux-amd64-2.12.2 /opt/hub-linux
    fi
    
  • Configure hub

    git config --global --replace-all hub.host github.yourdomain.com
    git config --global --replace-all hub.protocol git
    
  • Instruct the 🤖 bot to open a Pull Request

    $HUB_CLI add package.json package-lock.json
    $HUB_CLI commit -m "🤖 [BOT] Automated dependency update"
    $HUB_CLI pull-request \
        --push \
        -m "Pull Request Subject" \
        -m "Pull Request Description" \
        --no-edit \
        --reviewer user-id1,user-id2
    
  • Hook up this script in your CI/CD environment to run daily

Wrapping up

We saw how to check and update the node dependencies and automate the process of opening a PR. If your project is open-source, you may use a service like Greenkeeper.

Cheers

Please find my previous writings on Medium:

  1. One side rounded rectangle using SVG
  2. Visual Studio Code — Debug Mode
  3. I want TypeScript to succeed.
  4. What’s in my laptop?
  5. CoffeeScript’s most loved feature soon in JavaScript

Posted on by:

dennismphil profile

Dennis Mathew Philip

@dennismphil

Lead Software Engineer@Salesforce

Discussion

markdown guide
 

Automatically updating dependencies can be a bad practice but it doesn't have to be.

You are right. Having old dependencies can be bad. Doing the work takes time.
Some pitfalls can be:
1) You don't have any tests and you don't even know that your app/website is broken. Just because something builds does not mean that it works.
2) Testing the client code can be hard. You need to run e2e tests
3) If it is only about security problems then you should use npm audit.
4) Dependencies can introduce breaking changes and you don't even know it.

So yeah make sure you have a really good testing scenario before you automate dependency updating.

 

Great tip, this is awesome!

Only thing I will suggest is that integration or e2e tests might be better for this purpose, since unit tests often mock out their dependencies.

 

GitHub also merged in Dependabot, which does the same thing, but also opens a PR for new updates.

 

I'm second that tests only cover every scenerio in an ideal world. You can auto update your deps, but I recommend to do that in dev environment. Never tinker with production at first.

 

Yes, and make sure you have some way to revert to older versions in case something breaks up (or be ready to spend a good amount to time to fix your software).

 

Nice Read @dennismphil .

This might be a problem with dependencies that their updates introduces breaking changes.