Renovate your project
Well, keeping dependencies up-to-date is a complex responsibility. I am sure you had in the past so many cases when you were tackling too many outdated libraries, security vulnerabilities, and so on. And I would like to share with you the story of how we are facing this problem at the Fresha team.
So, let us start with the problem. Please, imagine the application developed by 100 people at the same time. That is impressive how often changes appear in the git log. This application is also in development for five years or more. As you probably know — it is nonsense to write every low-level implementation from scratch on your own. In that case, you probably use some open-source libraries, and that is great, absolutely great! But it is a double-edged sword. Yes, you do not need to waste the time of your engineers on reinventing the wheel. But! You need to keep everything fresh and in the newest possible versions because of the bugs, performance, or security reasons. That is the challenge that we will address in this post!
At Fresha, we are using Renovate to keep everything up to date. Let us stop here for a moment. Renovate is an automation tool for preparing updates of specific libraries. It supports a mighty amount of technologies, and it is not only for keeping your base package managers with a fresh stack. It can also take care of other services or tools we use like Docker images, docker-compose definitions, or CircleCI versions, etc.
How Renovate works?
You could start by installing Renovate in your project. You have a few options to do that, and all of them are free (awesome!). In our example, we can install the tool using GitHub Apps. Renovate team perfectly described that in their documentation: here (there are many more options to have Renovate like self-hosted, etc.). Then the first pull request should be automatically opened in your repository. It will contain the basic configuration of the renovate.json. Of course, you can modify it as you wish, and I will introduce you in the next part of this post to some fancy settings that you can use. After merging the configuration — Renovate will open pull requests in your repository with updated dependency settings and also create an issue with the dashboard containing all package bumps that you can force to build. That is great!
My favorite settings that you should consider using.
There is a lot of possible configurations that you can change for your projects. I will share with you some of my favorite settings. Then I will describe what we could achieve thanks to them. Let us not waste time and jump into the details!
Create pull requests only when a version is stable enough.
Sometimes we could receive updates with things that are too new. For example, one of your libraries got an update one hour ago. And Renovate is ready to give you an update with changes to upgrade your application to the newer dependency version. But, you know — sometimes it’s better to wait because this application part is risky. Renovate has excellent options for that! In that case, my favorite settings look like this:
Right now, Renovate will open a pull request with an update seven days after the release and only if your project’s Continuous Integration passes.
Are you using a monorepo? I have something for you!
If you are using a monorepo pattern in your project, then there are a few things that you could set.
In this example, we will have three dependency managers like Composer (PHP), mix (Elixir), NPM (JavaScript). When Renovate is creating PRs — it will assign specified reviewers to them which is good.
Calm your horses, I have an older project, and I don’t want this spam.
Yes, Renovate could spam your pull requests and eat your entire Continuous Integration quota. That is possible, of course. In that case, I have some pretty inspiring settings that you should consider using.
Thanks to this, you will not receive any patch version updates. Pull Request creating will be dispatched a maximum of once per hour. Another option is to set a schedule of bumping dependencies. You can straightforwardly tell Renovate to make pull requests every weekday night after 10 PM and before the next day’s morning. Thanks to that, you avoid distracting developers during working hours.
More great settings you will find in the official Renovate documentation.
Renovation Rotation — what is that?
Okay, so now we have the tool, what about the process? As you might know — if something is everybody’s responsibility, then it’s nobody’s responsibility. How did we deal with it? Here, at Fresha, we have a process named Renovation Rotation. That is a pretty new ceremony in engineering, but right now, we can say: it gives us a lot of value. As you may have guessed — some of the updates are great for automatic merges. We can do that by having good code coverage with all test types (unit, functional, e2e). But it is not always that easy, and that is why we have Renovation Rotation. It’s a rotational dependency update duty during which each of the teams should take care of the package updates. It’s a simple queue.
The teams should consider fixing security vulnerabilities at first. Then take care of other things that they could update. These rotations are monthly. Each squad has a month to update as many things as possible (when it’s reasonable) in their product sprints. Of course, team managers know this is part of the work and culture at Fresha and find time in scrum sprints. When the team finishes its turn to clean up — it uploads a short update, so the rest of Engineering has a holistic picture of what has changed.
I enjoy using this tool and I think the culture of taking care of up-to-date stack is so valuable. Go on, check Renovate and renovate your project — don’t let outdated dependencies take over your system.
