Thu 19 Apr 2018 4:38PM

Add Greenkeeper to keep deps updated

AA Andrea Ascari Public Seen by 205

Keeping deps updated is a thorn in the side, mostly when this involve break changes.

Greenkeeper provides a low-effort way to accomplish this, by automatically submitting prs (with the benefit of CI) when new library versions are released.

How many want to add it to our setup? :)


Satya Fri 20 Apr 2018 11:13AM

I'm not in favour of paying 300USD/year for this. I don't see the added value.


Andrea Ascari Fri 20 Apr 2018 11:23AM

The pricing is for private repos. As reported below the price table they will always support open source projects:

"We support Open Source Software: Greenkeeper will always be free for public repositories!"


Satya Fri 20 Apr 2018 11:43AM

Right, missed that! Then it's cool I guess :sunglasses:


RJ Fri 20 Apr 2018 12:50PM

I'm not sure I'm a fan of this. I think we need to think really hard about our upgrade strategy & policy for dependencies. There is a major security risk in my opinion already there, and auto updating deps isn't going to help


Andrea Ascari Fri 20 Apr 2018 1:00PM

I see you concern about this, but it's not auto updating. Greenkeeper makes PR, so you can merge them or not. Also, I think it's helpful just cause reminds you there's dependency to update and it's something that should be done often instead having to stop once in a while and made huge upgrades.


Vojtěch Šimetka Fri 20 Apr 2018 6:09PM

I think it is save to try for the tie being. But it opens bigger discussion we had before: How do we ensure there is no malicious code in our dependencies? Something that would just trigger a transaction. Does our move from in-DApp wallet to external web3 providers like metamask help here?


Andrea Ascari Sat 21 Apr 2018 11:46AM

I think the optimal setup would require heavy tests, which should be done anyway. At the beginning you can just give a try to the PR created by GK, and if you're happy with that merge it.