A reasonably large Node application will have 100's of dependencies. Keeping them all updated is a 🧹chore a developer needs to perform at some point. Either you ignore the dependency updates until you are stuck with a very old set of dependencies hindering your progress with 🦹♂️ security vulnerabilities or you spend your valuable application development time manually testing out the updates on a reasonable cadence.
Let's see how to automate this process in an enterprise environment assuming you have some kind of CI/CD environment and a private GitHub repo.
🥒 Ingredients
- Solid unit tests for your code. Bonus points if you have end to end tests and snapshot tests for UI components
-
next-update
An npm package which tests whether your dependencies can be updated without breaking the tests. -
hub
CLI This is a command-line application from Git"Hub" which can interact with your GitHub repo.hub
is exactly similar togit
CLI and a drop-in replacement but has added features to interact with GitHub. Handy to open a Pull Request after the update operation.
📝 Recipe
npm install next-update --save-dev
Install next-update as a dev-dependency.-
Configure an
npm
scriptdep:update
in yourpackage.json
scripts section
// package.json { "name": "a-sample-node-project", "version": "0.0.1", "description": "A sample node project", "scripts": { "test": "jest", "start": "node app.js", "dep:update": "next-update" // Configure an npm script }, "devDependencies": { "next-update": "^3.6.0" }, "dependencies": { }, }
npm run dep:update
Run the script.next-update
will go ahead and find all new packages. Updates them in sequence and keep the update if your tests pass.-
Download and install the
hub
cli
# download-hub.sh HUB_CLI=/opt/hub-linux/bin/hub if [[ ! -f $HUB_CLI ]]; then wget https://github.com/github/hub/releases/download/v2.12.2/hub-linux-amd64-2.12.2.tgz tar zxvf hub-linux-amd64-2.12.2.tgz rm -rf hub-linux-amd64-2.12.2.tgz /opt/hub-linux mv hub-linux-amd64-2.12.2 /opt/hub-linux fi
-
Configure hub
git config --global --replace-all hub.host github.yourdomain.com git config --global --replace-all hub.protocol git
-
Instruct the 🤖 bot to open a Pull Request
$HUB_CLI add package.json package-lock.json $HUB_CLI commit -m "🤖 [BOT] Automated dependency update" $HUB_CLI pull-request \ --push \ -m "Pull Request Subject" \ -m "Pull Request Description" \ --no-edit \ --reviewer user-id1,user-id2
Hook up this script in your CI/CD environment to run daily
Wrapping up
We saw how to check and update the node dependencies and automate the process of opening a PR. If your project is open-source, you may use a service like Greenkeeper.
Cheers
Please find my previous writings on Medium:
Top comments (6)
Automatically updating dependencies can be a bad practice but it doesn't have to be.
You are right. Having old dependencies can be bad. Doing the work takes time.
Some pitfalls can be:
1) You don't have any tests and you don't even know that your app/website is broken. Just because something builds does not mean that it works.
2) Testing the client code can be hard. You need to run e2e tests
3) If it is only about security problems then you should use
npm audit
.4) Dependencies can introduce breaking changes and you don't even know it.
So yeah make sure you have a really good testing scenario before you automate dependency updating.
Great tip, this is awesome!
Only thing I will suggest is that integration or e2e tests might be better for this purpose, since unit tests often mock out their dependencies.
GitHub also merged in Dependabot, which does the same thing, but also opens a PR for new updates.
I'm second that tests only cover every scenerio in an ideal world. You can auto update your deps, but I recommend to do that in dev environment. Never tinker with production at first.
Yes, and make sure you have some way to revert to older versions in case something breaks up (or be ready to spend a good amount to time to fix your software).
Nice Read @dennismphil .
This might be a problem with dependencies that their updates introduces breaking changes.