DEV Community


Update Dependencies by Human and Dependabot

Yuan-Hsi Lee
She/her. Web development, Linux mint, C#, open source.
・3 min read

Last week, we brought a new member, dependabot, to our project. Everything looks great, and he did his job perfectly. However, due to the large amount of dependency updating PRs (approximately 40 PRs was created when we added dependabot that day) and the automatic rebase feature, all the PRs sent by dependabot keep rebasing whenever there is a new PR merged to master branch. This unfortunately broke our CI, and we had no choice to let him leave.

Since dependabot left, I got my old job back. I manually updated about 35 outdated packages. Surprisingly, most of them did not break a thing in our project, even the major ones. I follow these steps to update dependencies,

  1. Read or release note. This will help you to have basic understanding of the new version of packages
  2. update the dependency with npm i <package-name>@latest
  3. run test units and look into fails if any. The knowledge from step 1 is helpful here.
  4. if tests are all passed, run the application make sure all the functionalities are as good as old time

There was only one dependency did pass the test, which is bull-board. Our old version was 0.9.0 and the latest version is 1.3.1. Version 0.9.0 is not only outdated, but also cause a warning because of its dependency, highlight.js. Version 0.9.0 of bull-board uses version 9 highlight.js. Therefore, even if we have updated our highlight.js to version 10+, the highlight.js in bull-board is still version 9 and causes the warning.

  Verion 9 of Highlight.js has reached EOL.  It will no longer
  be supported or receive security updates in the future.
  Please upgrade to version 10 or encourage your indirect
  dependencies to do so.

  For more info:
Enter fullscreen mode Exit fullscreen mode

Therefore, this update of bull-board is critical.

However, from bull-board 0.9.0 to 1.3.0, there are some major changes, such as they switch to typeScript from JavaScript. These changes from newer version didn't pass our tests.

Here are the changes I made,

1.Include BullAdaptor due to the change of API

// okay with old version; not okay with newer version
const { setQueues } = require('bull-board');

// fit with new version, new API
const { setQueues, BullAdapter } = require('bull-board');
setQueues([new BullAdapter(queue)]);
Enter fullscreen mode Exit fullscreen mode

2.Change middleware

// old
const { UI } = require('bull-board');
router.use('/queues', protectAdmin(true), UI);

// new
// router: bullBoardRouter is to solve the naming conflict with router from expressjs
const { router: bullBoardRouter } = require('bull-board');
router.use('/queues', protectAdmin(true), bullBoardRouter);
Enter fullscreen mode Exit fullscreen mode

Eventually, I updated all the outdated dependencies before release 1.7. Release 1.7 is also where we get rid of Gatsby front-end and use Nextjs front-end, which is quite a meaningful release. I'm glad we can have a fresh start in this release with new front-end and all dependencies updated.

After Anton's modification of dependabot config, dependabot's PR limit has been narrowed down to one from a package file. Moreover, the automatic rebase feature is turned off. Even though this will bring us more work to manually rebase the dependabot PRs, this is the best solution for having dependabot and not breaking Github CI at the same time.

Discussion (0)