Add Greenkeeper to keep deps updated
Andrea Ascari
Public
Seen by 205
Keeping deps updated is a thorn in the side, mostly when this involve break changes.
Greenkeeper provides a low-effort way to accomplish this, by automatically submitting prs (with the benefit of CI) when new library versions are released.
How many want to add it to our setup? :)
Andrea Ascari Fri 20 Apr 2018 11:23AM
The pricing is for private repos. As reported below the price table they will always support open source projects:
"We support Open Source Software: Greenkeeper will always be free for public repositories!"
Satya Fri 20 Apr 2018 11:43AM
Right, missed that! Then it's cool I guess :sunglasses:
RJ Fri 20 Apr 2018 12:50PM
I'm not sure I'm a fan of this. I think we need to think really hard about our upgrade strategy & policy for dependencies. There is a major security risk in my opinion already there, and auto updating deps isn't going to help
Andrea Ascari Fri 20 Apr 2018 1:00PM
I see you concern about this, but it's not auto updating. Greenkeeper makes PR, so you can merge them or not. Also, I think it's helpful just cause reminds you there's dependency to update and it's something that should be done often instead having to stop once in a while and made huge upgrades.
Vojtěch Šimetka Fri 20 Apr 2018 6:09PM
I think it is save to try for the tie being. But it opens bigger discussion we had before: How do we ensure there is no malicious code in our dependencies? Something that would just trigger a transaction. Does our move from in-DApp wallet to external web3 providers like metamask help here?
Andrea Ascari Sat 21 Apr 2018 11:46AM
I think the optimal setup would require heavy tests, which should be done anyway. At the beginning you can just give a try to the PR created by GK, and if you're happy with that merge it.
Satya · Fri 20 Apr 2018 11:13AM
I'm not in favour of paying 300USD/year for this. I don't see the added value.