• Stop manually updating dependencies! Use a bot to auto update NPM dependencies and submit a PR.

Call me old school, but I don't think it's a good idea for a mass distributed application to have its dependency chain automatically updated by bots. Not to mention, I've personally had more issues with incomplete update actions than the problems those things actually solve when I've tried using them.

But, somebody needs to be more diligent about running update routines more often. It should be close to impossible for those lock files to go more than a couple of weeks without a revision.

Why would dropping hound and use gh actions solve this?

Wouldn't it be easier to specify the correct version in hound.yaml or npm?

@mbabker If the JS tests are thorough, this should be fine. If you're not gonna have PR's raised, at least get the bot to submit an issue. Joomla does not keep deps up to date at all

@HLeithner Same reason why this ticket was raised.

I mean feel free to keep it as you wish, but I'm talking as someone to manages NPM packages on a daily basis. So I like to think I know what I'm talking about.
You keep Hound, it will eventually cause problems, like it has already.
You don't actively update dependencies, it will eventually cause problems.
This doesn't get merged (#28024), well, it's already preventing NodeJS 13 users such as myself running npm i.

That are to different issues or? One thing is that our deps are out of date and the other thing is that hound doesn't use the same version as our ci.
The second problem is not solved by switching to github actions or did I miss something?

@HLeithner So there are two problems.

1. Dev Dependencies are rarely updated.

• This means people who use the latest of NodeJS will run into problems at some point
• Someone ends up having to do a mass dependency updates which can be a tedious tasks if there are lots of B/C breaks (If you've ever used webpack, you'll know what I mean). Gradual and frequent updates is a good course of action. The problem is that nobody ever knows that there are dependency updates. So using a bot can solve this.

2. Mismatch in dependency versions
Hound uses default versions for linters and their quite old. The problem is that if you ever update one of the dependency linters:

1. You'll probably forgot to update the version in the .hound.yml
2. Hound only supports a subset of versions. You can't just define any version you want, so you'll most likely always have mismatch.

If you use Github Actions, it will install the linter version defined in the package.json (or lock file if you run ci). This means local and CI linting is all done under the same version. I also means tasks are kept in house rather than being done by a different 3rd party service.

@C-Lodder

1. Ok having a bot creating pr's is an option we should consider but doesn't prevent us from understanding the changes and check b/c problems.

2. I have no problem replacing one service with another if it works better and is better maintainable. I will check this with ATT

Ok having a bot creating pr's is an option we should consider but doesn't prevent us from understanding the changes and check b/c problems.

1. In which case, have the bot create an issue rather than a PR
2. Or, have the bot do a PR for dev dependencies only. This way Github Actions can run the build and let you know if it works or fails.

that would only be true if we have 100% test coverage^^

You don't need 100% test coverage for dev dependencies. You simply need to try and build using npm i. If it successfully builds, great. If not, something needs fixing

Of course for dev deps that's easier

I do have an issue introducing yet another CI system into our workflow. We already have 5 CI systems active and I don't think adding Github Actions as a sixth one is a good step forward. I proposed this earlier already to pull in the hound checks into Drone CI.

Regarding the dev dependencies: Yes, we need a way to update these regularly. The move to join the com_media dependencies and the general dependencies is already a great step forward in fixing this mess. Thank you for that. Using a bot to automatically update this is something that I'm hesitant as well. I've seen a few issues with that in the past... I was about to propose to find someone who would do this once a month, but to be honest, that wont really happen, so maybe using a bot to create PRs would still be the best solution here. We can still ignore the PRs or make them better ourselfs.

We already have 5 CI systems active

Yup and they're external services. You've got the opportunity to move them all into a single place.

Using a bot to automatically update this is something that I'm hesitant as well

If you do this on dev dependencies and use CI, then there's reason reason to be hesitant. Simple merge if the build is successful.

I was about to propose to find someone who would do this once a month

Well for the last few months, I haven't been able to build Joomla locally on NodeJS 13 because nobody cares to update them.

Isn't this what greenkeeper is for? We use it on some of our repo

https://github.com/apps/greenkeeper

@brianteeman It's not keeping things green

??

Greenkeeper brings safety & consistency to npm with real-time monitoring and automatic update testing for your dependencies. Let a bot send you informative and actionable pull requests and issues so you can easily keep your software up to date and in working condition.

I mean it's not being used on the joomla-cms repo

Yes i realise that. I meant
Can we not use greenkeeper to handle this for us. From the description it does exactly what you are all asking for and as we already use it on some of our repo so someone must have already decided it was a good idea

I think dependabot would be a better choice as it's owned by Github

I turned off Greenkeeper where it was in use because it was failing miserably more often than not and the times it did run still required me to trigger build steps to actually update all the resources. Hence why I am not a fan of Dependabot or Greenkeeper or any of those other automatic update dependency services.

(And the last dependabot update I merged to the issue tracker silently broke image uploads, so there’s a strike against that one too)

@mbabker as mentioned before, if the maintainers are too worried about bot Pr's, then have the bot create an issue instead. Deps are completely forgotten about in Joomla

Has been fixed