[DISCUSSION] Automatic dependency management

Wed, 04 Sep 2024 13:01:36 -0700 

Hi all,
I'd like to propose to use automatic dependency management in Apache Polaris and start a discussion about this topic first. 


Keeping dependencies up-to-date is a quite important - it helps to not 
(or better: less likely) run into security issues or bugs in 
dependencies. Continuously keeping dependencies up-to-date also keeps 
the amount of code changes due to updated dependencies down to a 
manageable amount of work - most of the time within the 
dependency-version-bump PR.



There are two options that I can think of:

## Renovate


Renovate [1] is a highly customizable dependency management tool. We are 
using it in projectnessie [4] for all projects for quite some time and 
are very happy with it. It just works and does its job for years now. 
Particularly the amount of flexibility and functionality it brings is 
really nice.



Renovate can update dependencies for all kinds of what they call 
"managers" [2] - e.g. for Java: Gradle, Gradle Wrapper, or for Python: 
pip, poetry, or Docker images: Dockerfile, Compose, etc.


Different versioning schemes are supported (not just semver).


The Renovate bot comes along each repository approximately every 3 
hours. It has configurable limits for the amount of open PRs, PRs 
created per hour and a ton more options. Dependency updates can cause a 
PR immediately or at any schedule that's needed - even configured down 
to the level of individual dependencies.



It can approve PRs automatically and enable automerge. Those can also be 
configured individually. Similarly the the kind of version bump 
(major/minor/patch) that requires manual approval over automatic 
approval + automerge.



Thinking a bit ahead in time - when (if) there are multiple version 
branches to maintain (e.g. branches for version 1.x, 1.1.x, 2.x, etc): 
With Renovate it's possible to get dependency updates even for those 
version branches - "down-scoped" to patch-version bumps only, if 
configured that way. This could be used to get all the patch version 
dependency updates in version branches automatically.



The dependency dashboard (example: [3]) that Renovate opens as a GitHub 
issue, provides a concise overview of dependencies that are scheduled, 
have been manually edited, are currently open or are ignored/blocked (by 
closing the PR, to re-create the PR).


## Dependabot


Dependabot supports less "ecosystems", but probably enough for Polaris. 
Historically, Dependabot didn't do a good job with Gradle version 
catalogs, but the situation might have improved since the last time I 
checked it.



Overall, compared to Renovate, it has IMO limited flexibility. It seems 
(I never tried it) that the flexibility especially for multiple "managed 
branches" is not that flexible, if present at all.



What's your opinion on this topic?


Robert

[1] https://docs.renovatebot.com/

[2] https://docs.renovatebot.com/modules/manager/

[3] https://github.com/projectnessie/nessie/issues/5255

[4] https://github.com/projectnessie/nessie/blob/main/.github/renovate.json5

--
Robert Stupp
@snazy























					Reply via email to