Add support for Rush

[GiriB]

Rush is a opensource monorepo manager (similar to Lerna) and is extensively used to manage large monorepos within Microsoft. It'll be great to see if dependabot-core can support Rush monorepos too!

We are currently using a fork of dependabot-core which we have modified to support Rush and would be happy to contribute the changes back.

Creating this issue to start the conversations and see if other people are also interested.

[renoirb]

Quoting something I've asked in a private request to Dependabot that's related to the questions about "Add support for Rush" (for posterity)

How should we setup DependaBot when using @microsoft/rush as a monorepo stack. In Rush we can pick Yarn, NPM, PNPM, all packages are defined in top level rush.json file, dependencies lockfîe is in another folder.

How one could setup dependabot? By telling where's the global shrinkwrap?

The nice thing with Rush is that it can help enforce same version of packages. What I understand of dependabot is that it basically changes shasum to upgrade package in range for current dependency. Which might just be OK as is.

But I'm curious about what the dependabot team has to say about this. And if it's possible at all?

[sdalonzo]

We would also be interested in support for this feature! cc @moose0621

[thanasis00]

My team is also interested in supporting rush with dependabot. Has this thread gone forward somewhere else?

[kg-currenxie]

Same! We're moving away from Lerna.

[robmosca]

Here too, we would need support for rush. 🙋🏽‍♂️

[dylandepass]

+1

Would love to see support for Rush

[majg0]

Yes please!

[ghost]

We'd love to see support for this!

[YanceyOfficial]

+10086

[fstylermiller]

Bump! Would still love to see rush support.

[insignias]

Any updates on support for this please ?

[jeffwidman]

@GiriB is this still of interest?

We're in a place now to be more open to the conversation than we were when you first opened this. No promises, but we're open to chatting about it.

You'd need to drive the heavy lifting of adding code support and also have a team inside Microsoft that's willing to help engage with the inevitable ongoing maintenance churn of keeping up with Rush changes over time. TBH it's the latter that we're actually most concerned about, as we're a small team.

[JamieMagee]

@jeffwidman I recently spoke with @octogonz who is interested in Dependabot support for Rush as well.

[stekycz]

❔ Question: Does the support have to be specific for Rush.js only? What about supporting override of specific commands (e.g. install, update) so that every ecosystem can override them when needed? I am not against Rush.js specific support as there may be various use cases that generic support would not work but overriding (injecting) custom logic may work for wider spectrum of ecosystems. Thoughts?

[pwbriggs]

I think @stekycz's proposal could be a good idea. Then 3rd-party tools can provide & maintain their own recommended/example configs, plus it makes it easier for additional 3rd-party tools to add support.

On the other hand, it could be restrictive in that it could cause breaking changes if Dependabot wants to extend or change its functionality in the future.

Either way, I'm looking for Rush support too. Definitely still of interest ❤️