Automate dependency update for node.js projects using renovate and GitlabCI
/ 7 min read
Why update dependencies regularly
Version update can be a daunting task, specially when you are working with a quite old codebase & the dependencies have changes a lot. In such case you’ll have to go through a latest docs & changes logs.
Not keeping your application’s dependencies may lead to security breach & many other things. There are many other reasons to update keep your dependency up-to-date. Here are the few reason:
-
Security: Regular updates help to patch vulnerabilities in dependencies. Developers often discover security flaws in libraries or frameworks, and updates typically include fixes to address these issues. By keeping dependencies up to date, you can minimize the risk of security breaches and protect your application and its data.
-
Bug Fixes: Updates often include bug fixes and improvements. By staying current with the latest versions of dependencies, you can benefit from these fixes, ensuring that your application runs smoothly and without unexpected errors or behavior.
-
Performance: Updates may include optimizations and performance enhancements. By upgrading dependencies, you can take advantage of these improvements, potentially boosting the performance of your application and reducing resource consumption.
-
Compatibility: As technologies evolve, dependencies may introduce changes to maintain compatibility with new platforms, frameworks, or standards. Regular updates help ensure that your application remains compatible with the latest environments, libraries, and best practices.
-
Feature Enhancements: Updates may introduce new features or functionalities that can enhance your application. By staying up to date, you can leverage these new capabilities to improve user experience or add new capabilities to your application.
-
Community Support: Active projects receive ongoing support and contributions from the developer community. By regularly updating dependencies, you signal to the community that you are actively maintaining your project, making it more likely that you will receive assistance and support when needed.
-
Dependency Tree: Dependencies often have their dependencies, creating a dependency tree. Regular updates help ensure that the entire dependency tree remains healthy and up to date, reducing the risk of compatibility issues or security vulnerabilities stemming from outdated dependencies.
One must keep in mind that everything comes at a cost. Updating a dependency may introduce some bug, version conflict, security flaw, etc,.
The downside to updating a dependency may lead to:
-
Testing need: One must test the updated package before promoting it to production. It may lead to bug or inefficiencies.
-
Time and Effort: Keeping dependencies up to date requires time and effort to review changelogs, test updates, and address any issues that arise. This overhead can be significant, especially for applications with a large number of dependencies or complex dependency trees.
-
Dependency Hell: Updating one dependency may trigger a cascade of updates for its dependencies, leading to a complex web of updates and potential conflicts. Managing these dependencies, resolving conflicts, and ensuring compatibility across the entire dependency tree can be time-consuming and challenging.
What is renovate?
Renovate is an open source tool to automate dependency management in software projects. It automates the process of updating dependencies by monitoring package repositories, such as npm for Node.js projects, and creating pull requests (PRs) to update dependencies to their latest versions.
Key features of Renovate include:
-
Automated Dependency Updates: Renovate automatically scans project repositories for outdated dependencies and creates pull requests to update them to their latest versions.
-
Flexible Configuration: Renovate offers extensive configuration options, allowing developers to customize update schedules, dependency types, version constraints, and more.
-
Support for Multiple Package Managers: Renovate supports a wide range of package managers, including npm, Yarn, Pip (Python), Composer (PHP), Maven (Java), and many others.
-
Version Pinning: Renovate can automatically pin dependency versions to specific versions or ranges, ensuring consistent behavior across environments.
-
Continuous Integration (CI) Integration: Renovate integrates seamlessly with CI platforms such as GitHub Actions, Travis CI, CircleCI, and Jenkins, enabling automated testing of dependency updates before merging.
-
Changelog Generation: Renovate can generate changelogs for updated dependencies, providing visibility into the changes introduced by each update.
-
Merge Strategies: Renovate supports various merge strategies, including automatic merging, manual approval, and scheduling, allowing teams to choose the most appropriate approach for their workflow.
Overall, Renovate streamlines the dependency management process, helping teams keep their projects up to date with the latest security patches, bug fixes, and feature enhancements while reducing manual effort and ensuring consistent dependency versions across environments.
How does renovate works
Creating pull requests
Renovate uses platform’s (like gitlab) API to search & find open/closed PRs. It does it by matching:
- branch name
- pull request title
If the above conditions matches then it does not creates a new PR.
When a unique PR(their title relating to the version in the upgrade), renovate does not creates new PR with same version in future.
Renovates does the same with the major version release.
For example:
- If you ignored major version update of
tailwindcsstov4by closing renovate-bot’s PR. - renovate assumes the you don’t want any update of
v4oftailwindcss - renovate won’t create any update PRs for
v4of tailwindcss, even if there are newer versions of v4.
Detecting changelogs
Renovate detects updates & fills changelogs by:
- Identifying a source URL within the datasource response for a package, and storing it internally as sourceUrl if detected.
- Verifying whether Renovate’s internal manual metadata for the package contains a source URL.
- Searching for the source URL if it is hosted on a supported platform (such as GitHub).
- Examining both the repository’s “Releases” metadata and any commonly known “changelog” file names.
- Refining the located releases to encompass only the versions targeted for update by the current pull request (PR).
- Formatting and integrating the outcomes into the PR description.
For private packages
In addition to above steps it follows below steps:
- It checks for accessibility, if accessible does the following
- Looks for source url in the response
How to configure renovate?
Below are the yaml config file you need.
Create a new repository in gitlab & paste the below given code in the specified files.
include: - project: 'renovate-bot/renovate-runner' file: '/renovate.gitlab-ci.yml'
renovate: rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' - if: '$CI_PIPELINE_SOURCE == "push"'variables: RENOVATE_BASE_DIR: $CI_PROJECT_DIR/renovate RENOVATE_ENDPOINT: $CI_API_V4_URL RENOVATE_PLATFORM: gitlab RENOVATE_ONBOARDING_CONFIG: '{"$$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": ["config:recommended"] }' RENOVATE_OPTIMIZE_FOR_DISABLED: 'true' RENOVATE_REPOSITORY_CACHE: 'enabled' RENOVATE_LOG_FILE: renovate-log.ndjson RENOVATE_LOG_FILE_LEVEL: debug CI_RENOVATE_IMAGE: ghcr.io/renovatebot/renovate:37.128.2@sha256:c6608b859b9678a6150d5399c4a4e0ff971b2d58a6bddfd1d228b276c95cd41e
.renovate: cache: key: ${CI_COMMIT_REF_SLUG}-renovate paths: - renovate/cache/renovate/repository/ image: ${CI_RENOVATE_IMAGE} script: - renovate $RENOVATE_EXTRA_FLAGS
renovate: extends: .renovate stage: deploy resource_group: production rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' artifacts: when: always expire_in: 1d paths: - '$RENOVATE_LOG_FILE'Finally, to run renovate you need to set your pipeline’s environment variables.
How to set environment variables & schedule renovate runner
Navigate to Build > Pipelines > Run pipeline > CI/CD settings & set following variables:
-
Personal Access Token: with scope
read_user,api,write_repository& set it asRENOVATE_TOKEN. -
GitHub.com Personal Access Token : with
minimumscope & set it asGITHUB_COM_TOKEN. It sole purpose is to authenticated requests to github.com for Changelog retrieval as well as for any dependency that uses GitHub tags. Without this token github.com’s api will rate limit requests and make such lookups unreliable. So if you are not scheduling for frequent dependency update you can skip it. -
List of repo: You need to set list of repos against which renovate will run. It should be space separated values e.g.,
username/repo-name-1 username/repo-name-2 username/repo-name-3asRENOVATE_EXTRA_FLAGS.
To create schedule pipeline navigate to Build > Pipeline schedules & then set Interval Pattern.
Now you are all set to go. You’ll see new new MR being created by renovate automatically (only if there’s any package to be updated).
Conclusion
In conclusion, automating dependency updates for Node.js projects using renovate-bot and GitLab CI offers numerous advantages. By leveraging renovate-bot’s automated dependency management capabilities, developers can streamline the process of keeping dependencies up to date, ensuring that projects benefit from the latest bug fixes, security patches, and performance improvements. GitLab CI integration enables seamless integration of dependency updates into the development workflow, allowing for automated testing and validation of updates before merging into the main codebase. This approach not only improves developer productivity by reducing manual effort but also enhances the overall stability, security, and maintainability of Node.js projects. Embracing automation with renovate-bot and GitLab CI empowers development teams to stay ahead of dependency updates efficiently and focus on delivering value-added features to users.
To get the codebase follow the link
To learn more about renovate here