check also deps added to HTML files (libs at CDN, etc.)

[dkocich]

• my web PHP project contains app/Resources/views/master.html.twig main HTML file where I add

  <script src=" {{ asset('assets/lib/jquery/jquery-3.3.1.min.js') }}"></script>
  <script src=" {{ asset('assets/lib/popper.js-1.14.6/dist/umd/popper.min.js') }}"></script>
  <script src=" {{ asset('assets/lib/bootstrap-4.3.1-dist/js/bootstrap.min.js') }}"></script>
  ...
  <link rel="stylesheet" type="text/css"
      href="https://cdn.jsdelivr.net/npm/cookieconsent@3.1.1/build/cookieconsent.min.css"/>
  <script src="https://cdn.jsdelivr.net/npm/cookieconsent@3.1.1/build/cookieconsent.min.js"></script>

• I am using composer for PHP dep management; NPM only for dev mode (for rebundling of CSS and live reload, etc.)

• I guess that Dependabot could be configurable also to check static HTML or template file syntax to detect potential issues in those dependencies (the only way I can think of now would be setting up Dependabot to check both composer.json and package.json files, where I have to "duplicate" all the packages I use in HTML, but that would only work as a "reminder for manual update" - I would be able to merge only incomplete changes and I have to do adjustment of version in an HTML manually)

[asciimike]

For local dependencies, it feels like a bundler like webpack or browserify is going to be the best solution, since that shouldn't have versions in the HTML.

This obviously doesn't work for CDN delivered content, so you can either include it locally and bundle it as above, or pin to a @latest if such a thing is provided (though if they do major version updates, it has the potential to break you, looks like jsdelivr offers @major which might work well). But if they're just npm modules, going the bundler route feels like the "right" way to solve this.

[dkocich]

I understand that checking local dependencies and asset file updating might be a problem and it would need to also add deps locally - I added it to have 2 examples here. I do not want to use the @latest or @major and broke my project any time or implement tests in tens of projects because of that. I also do not want to use bundler bcs I do not want my users to redownload bundled jquery/momentjs for the 100th time again from another website...

I think that a simple configuration with the checked file path and "template syntax" should be enough for me to quickly configure dependabot so it can help me with maintenance and I can be notified about potential changes, short changelog summary, or link to docs for manual review. I think it might be helpful enough to check for 100-500 most downloaded libraries from CDN in the file (not all NPM deps or CDN content).

[neviaumi]

+1 for the feature of check inline CDN update. Renovate have this feature support already

Here is my use case,

Recently i want develop some simple HTML on github document.

It only contain html , js (web components), bootstrap CSS

So i don't want make it so complex with include WebPack, Babel ...etc. for just want dependence update working.

[major]

I do not want to use the @latest or @major

Just saying hello since you mentioned me. 👋🏻 🤭

[MurrayJack]

Did anything come from this? I would also like dependabot to chech static HTML file as we dont want to use a package maneger

user case

we have a old legacy MVC product this has a global template that supplies all the scripts these scripts use the <script and live on one of the public CDNs