How is Probot project managing dependency updates?

[oscard0m]

Hi Probot team!

I was wondering how Probot manages outdated dependencies. I see some commits from dependabot but when running npm outdated I see a big amount of outdated dependencies:

If you need help/ideas on checking why dependencies are not updated I would be happy to help.

Thanks!

[gr2m]

We currently use dependabot, but maybe we should migrate to Renovate and enable the lockfile update feature, that should keep the outdated (sub)dependencies at check. Dependabot is tailored towards end-user application which probot is to some extend, but most probot/* repositories are libraries, renovate would work better. Would you like to help with the migration?

[oscard0m]

@gr2m would make sense to use "github>octokit/.github" directly or do we create its own preset under probot/.github?

[gr2m]

Actually, good idea to just reference "github>octokit/.github" 👍🏼 We can change that if necessary in future.

[oscard0m]

I added some missing logic to @octoherd/script-setup-renovate. I think we are ready to run this across the repos of the org you would like to have Renovate.

The script requires a token with privileges to push directly on the defaultBranch branch. @gr2m

I noticed it creates/updates .json removing the new lines and spaces completely, is this a blocker to our use-case? (see octoherd/script-setup-renovate#29) fixed here

[oscard0m]

We are live with Renovate already 👏🏽

[oscard0m]

Renovate migration info:

	#Number	Status	Query
Number of repositories in Probot	51	✅	query
Number of repositories with package.json not archived	34	✅	query
Number of repositories with package.json with word "renovate"	0	✅	query
Number of repositories with .github/renovate.json	36 (removed manually from talks and tweets	✅	query

• chore(.github): remove unused Renovate configuration talks#2
• chore(.github): remove unused Renovate configuration twitter#27