Consider keeping deps up-to-date with greenkeeper.io

[linclark]

This service has been very popular since it came out late last year, and is used by a lot of open source projects.

Greenkeeper sits between npm and GitHub, observing all of the modules you depend on. When they get updated, your project gets a pull request with that update. Your CI tests kick in, and Greenkeeper watches them to see whether they pass. If they do, you can just click the merge button, and we'll even auto-close branches for older versions for you. If not, you can use the branch to fix things.

https://greenkeeper.io/#how-it-works

[jsantell]

I'd be interested in trying this for sure! Was the frequency ever too much in other projects? Like daily lodash PRs or anything?

[linclark]

If we continue to pin to specific versions, then the frequency may be too much. We'd get a PR for any version bump in any dependency.

But with the safegaurd that greenkeeper provides, we might be able to use ranges. If we used ranges, greenkeeper would run the test suite for any new version of a dependency and submit a PR if a new version broke tests. They call that Real Time Dependency Break Detection.

For example, let's say we used the version range ~2.71.0 for request. All of us downloaded request when it was at 2.71.0 so that's what we're working with. Now lets say that 2.72.0 comes out and it breaks something which we catch in our tests. We would get a PR letting us know that 2.72.0 breaks our code. So greenkeeper would have notified us before any of the developers had noticed. We could then change the version range to exclude that version while we figure out what's going on.

I'm not sure if this makes using ranges acceptable to us, but might be worth considering.

[linclark]

In the meeting we discussed using greenkeeper with npm shrinkwrap. Unfortunately the two don't work well together yet, but the greenkeeper folks are working on it.

Do we want to turn greenkeeper on now, or wait? Turning it on now means we'll get a PR each time a dependency has even a patch release... or it means using dependency ranges instead of pinning.

[linclark]

It looks like there hasn't been progress on shrinkwrap/greenkeeper in that other issue.

If there's still no progress by next week's meeting, I will propose that we turn on greenkeeper even though we'll still have pinned dependencies.

Anyone who gets notifications for the repo will get lots more, so we'll have to figure out a Gmail filter people can use. Then we can do a weekly pass through the PRs and take care of them.

[zeke]

Was the frequency ever too much in other projects?

Greenkeeper can be a bit noisy for a single-maintainer side project, but given the active development state of tofino I think the frequency would be fine.

[linclark]

Greenkeeper has been enabled.