Checking generated lucky projects front-end dependencies

[jwoertink]

@stephendolan and I started this discussion in Discord, but I wanted to document it here for more input from the community.

The idea here is that when we generate a new lucky project, we are generating front-end assets by default. Things like the rails_ujs, turbolinks, laravel-mix, etc... We have these all locked in to versions in the generated package.json file. Currently we don't have any clear way to know if you generate a new lucky project if your front-end will be up-to-date, or have security holes from not being patched.

It sounds like we may be able to just add the Dependabot add-on to the lucky_cli project, then configure that to point to the package.json file inside of the browser_application_skeleton project. There may be a few small hurdles like the yarn.lock getting in the way, but probably nothing we can't work around easily.

My only experience with dependabot is when it sends PRs to my projects to say my yarn.lock needs to be updated. I generally ignore these because I've never seen an issue where it's super important. I want to hear from others that have experience with this that may know more. Let me know your thoughts.

[stephendolan]

I use Dependabot pretty aggressively in all of my Lucky projects (even allowing it to bump package.json versions), and have yet to run into issues. I also don't have a super critical production application yet, so I auto-merge everything on CI/CD success to keep the work I have to do minimal.

Here's how Dependabot has helped Lucky Jumpstart:
https://github.com/stephendolan/lucky_jumpstart/pulls?q=is%3Apr+is%3Aclosed+author%3Aapp%2Fdependabot-preview

And here's the dependabot configuration I'm using:

version: 1

update_configs:
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "live"
    target_branch: "master"
    allowed_updates:
      - match:
          update_type: "all"
    automerged_updates:
      - match:
          dependency_type: "all"
          update_type: "all"
    version_requirement_updates: "increase_versions"

If we wanted something similar for the CLI app, we'd just need to change directory: '/' to something like directory: 'generated/browser_app_skeleton (I think).

[matthewmcgarvey]

There's a version 2 of dependabot config since it was added into github https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates

automatically merging PRs was dropped in v2 and shouldn't be the default anyways

[stephendolan]

Thanks for the heads up, @matthewmcgarvey! I've since updated the Lucky Jumpstart workflow to use v2, and it's been pretty nice!

I still enabled auto-merging via another workflow plugin since I don't really want to pay attention to when DefinitelyTyped packages get updates, but we could also leverage the PR limit to have a bit less PR gore when Dependabot is going nuts.

Here's the new config:
https://github.com/stephendolan/lucky_jumpstart/blob/master/.github/dependabot.yml

[paulcsmith]

I like the idea of using dependabot 👍 Right now manually updating the package.json is scary and a bit of an annoyance to do manually

[stephendolan]

Lacking any strong objections, I'll open up an issue on the CLI project to automate these dependency updates!

Thanks for the input, everyone.

[stephendolan]

Created luckyframework/lucky_cli#562

[paulcsmith]

Thanks! Looks good