-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Dependabot like tool to automate updating lockfiles #71
Comments
There has been some work to automate the process of bumping dependencies in the conan-extensions repo. Specifically: https://github.com/conan-io/conan-extensions/tree/main/extensions/commands/recipe. These extensions are community maintained but centralized. There currently isn't anything for lockfiles, but I can see the utility you're talking about and I think additional logic would be welcome there. I realise your request is for a bot, but this could be a good first step. |
Or additional features related to lockfiles which will make developing such a bot easier. For example, npm outdated which does a bit more than the extension you shared. I'm personally looking for solutions that will also work in a private conan repository. |
Hi @stackfun Thanks for the suggestion Also, at this moment, it doesn't sound like something we could prioritize enough, so it will probably rely on the community, or need to wait some time. Thanks! |
there's been an update, dependabot is now accepting community contributions for new ecosystems again: dependabot/dependabot-core#1616 (comment) It does still state that they want "an ecosystem maintainer [...] interested in integrating with Dependabot, and [...] willing to help provide the expertise necessary to build and support it", so ideally, someone from jfrog/conan team, not just some random user with some half-knowledge about how it might be supposed to work. If this doesn't apply to anyone here, any idea whom best to contact? Should people lodge support tickets with jfrog directly? Especially enterprise customers might have some traction that way... |
Thanks for the heads up @SvenStaehs At the moment we have a long roadmap, too many high priority things on the backlog, so it seems we cannot put resources from the team in the very short term. But lets have a look first just in case and think a bit about it. Just a couple of quick notes:
|
We ended up creating an internal tool for this. Our bot requires a conanfile and the list of profiles the team builds against. On a configurable shcedule, it creates the full dependency graph for each profile, dedupes the resolved recipe revisions, and stores/updates the lockfile, and submits a PR with a description about which dependencies changed. There's lots of functionality that's missing compared to Github's dependabot, but still has proven to be extremely useful. Unfortunately I probably can't share the tool anytime soon as it uses our own wrapper Conan API's to add custom functionality. |
Thank you @memsharded for the assessment! And to @stackfun for your take. Obviously any change thus created needs to go through PR review before it can be merged, so it's not a show-stopper if it's not perfect, but it's understandable that it's not the highest priority for conan team to spend effort and end up with a fundamentally flawed tool. |
If you plan to impose restrictions, maybe using the Thanks for the feedback! |
If your conanfile had version ranges like In addition in our setup, each of our jenkins build creates a new recipe revision, so the lockfile helps control the builds of each internal component. In this way, our bot is still useful even without version ranges in the conanfiles. |
What is your suggestion?
Unfortunately, dependabot has stopped accepting feature requests to support other package managers. See this github thread here
A tool like this would greatly supplement Conan lockfiles.
For our internal components, we're going to ask teams to start checking in the lockfile beside their conanfile. However, teams are hesitant to adopt this as it is another process that they need to maintain, and it's not something they're not familiar with. If this process were automated, I'm sure there would be greater adoption.
Here are a few key features in dependabot that would be useful
Conan specific features/considerations
conan config install
Have you read the CONTRIBUTING guide?
The text was updated successfully, but these errors were encountered: