Comments (19)
From @bennyn on November 13, 2017 11:41
It would be great if dependabot would support a mono-repository structure! Basically, all you would have to do is to evaluate package.json files recursively.
from dependabot-core.
We should definitely be supporting mono-repos - in the backend we actually have support for adding multiple directories for the same project/language, but never added it to the frontend because we couldn't figure out the design. I'll have a think.
@sobolevn - I'll look at Lerna, but it might have to wait a while.
from dependabot-core.
In the meantime, if anyone has a monorepo that they want to try Dependabot on, let me know and I can add the directories in the repo manually in the backend.
from dependabot-core.
From @bennyn on November 15, 2017 11:6
@greysteil We are using a Lerna monorepository at: https://github.com/wireapp/wire-web-packages - Can you enable monorepo support for us (we already installed Dependabot for this repository)?
from dependabot-core.
Uh oh, it looks like I've over-reached a little here. I didn't fully understand how Lerna works with Yarn, but can see now that there's more work here to be done on the Dependabot side.
@bennyn - since your repo uses Yarn workspaces I can't get it up-and-running manually (since workspaces mean you've got a single yarn.lock
shared across many package.json
files). I'll have a look at adding support over the next week or so, but can't promise how quick it will be.
from dependabot-core.
From @bennyn on November 15, 2017 13:56
@greysteil Can you do the following?
- Update all dependencies in the
package.json
files of every package inside the packages folder (and forget about theiryarn.lock
files) - Go to the root folder (containing the "packages" folder) and update dependencies in the package.json file
- Execute
yarn install
andlerna bootstrap
in the root directory - Create a PR with the updated
package.json
files and theyarn.lock
file of the root
from dependabot-core.
Sadly not - Dependabot hacks around with the internals or Yarn (and Bundler, Composer and Pip) in order to avoid performing installs (and a bunch of other reasons). As a result, in situations like this there's normally quite a bit of work to get everything up and running. We also don't clone your repos, instead preferring to fetch only the files we need.
I've made a start on this in #129. Lots more to do, but it will happen there.
from dependabot-core.
From @simondel on November 17, 2017 10:45
This would be awesome for us as well! We don't use yarn or the package.lock.json or anything. Our use case would be:
- Update
**/package.json
- Create a PR to run the CI
I tried using Greenkeeper earlier today but unfortunately they don't seem to support this setup yet.
Our repo for reference: https://github.com/stryker-mutator/stryker
from dependabot-core.
OK, quick update on this:
We're nearly there on Yarn workspaces support. There's a bug in it right now, but I'm hoping to have that cleaned up today. If you're using Yarn and Lerna, that's probably what you want. (More detail.)Yarn workspaces support is now live! ๐- Once that's done, I'll look into Lerna support more broadly. This may take a little while.
If you're not using lockfiles (@simondel) we're a little further off, and the appropriate issue to track is this one.We now handle JS repos that don't use lockfiles! ๐
Hope that helps make everything clear. @simondel - I'd definitely chat to the Greenkeeper guys about Lerna support if I was you, they ought to be all over that :)
from dependabot-core.
Another update: Dependabot can now support mono-repo structures. If you've got a mono-repo with many directories, each of which have their own package.json
and package-lock.json
(or yarn.lock
) you can now add the same language multiple times in the Dependabot dashboard, specifying a different directory each time. Dependabot will treat the updates completely independently, so you don't have to merge an update to all your dependencies at once.
We're actually using this flow on dependabot-core
to keep the files in helpers/yarn
and helpers/npm
up-to-date.
In future, we'll also add Lerna support, which would allow you to add Dependabot just once and get PRs that update all your packages at once.
from dependabot-core.
From @exactlyaron on February 13, 2018 16:3
Hi all.
We have a monorepo and looking for something to keep everything up to date that supports Lerna, so we're very happy to see you're working on support for it! ๐
I had a little test of Dependabot and in the dashboard when I've added a couple of directories located in the 'packages' directory of our repo it is showing as 'Error bumping dependencies' yet PRs have actually happened. The 'plugins' directory is fine though.
Is this known @greysteil ?
Thanks
from dependabot-core.
From @bennyn on February 13, 2018 16:9
@AronM28: At Wire we are using Dependabot with a mono-repository managed by Lerna:
As you can see in our merged PRs, it works really well ๐:
from dependabot-core.
If thereโs an error bumping any of your dependencies youโll see that status (and Iโll get an error report on my side). Iโve been away for the last week (Iโll be back from holiday on Friday), so am a little behind on digging into those errors - sorry!
On 13 Feb 2018, at 06:09, Benny Neugebauer [email protected] wrote:
@AronM28: At Wire we are using Dependabot with a mono-repository managed by Lerna:
https://github.com/wireapp/wire-web-packages
As you can see in our merged PRs, it works really well ๐:https://github.com/wireapp/wire-web-packages/pulls?q=is%3Apr+is%3Aclosed+author%3Aapp%2Fdependabot
โ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
from dependabot-core.
And thanks @bennyn!
from dependabot-core.
From @exactlyaron on February 15, 2018 8:22
After overloading Travis initially, I redone everything in a more patient manner and it looks good! ๐
Great work @greysteil !
from dependabot-core.
@AronM28 - FYI, I got back from holiday today and hunted down that bug. It was caused by hl-pg-client
being listed in the dependencies for address-matcher but not published on the registry. Presumably this works locally because Lerna takes care of it.
The fix (in eb414d0) I've put in place is to ignore dependencies that aren't listed on the registry for library package.json
files.
from dependabot-core.
From @exactlyaron on February 15, 2018 20:20
@greysteil Brilliant thanks a lot for the help! ๐ I had a feeling it was probably down to an unpublished package. There's a few more which probably came about for that same reason.
It is something that has been noted on some other things, another pro for publishing all the things.
from dependabot-core.
From @exactlyaron on April 16, 2018 8:50
Probably a long term nice to have but the ability to update package.json settings en masse would be nice.
For example, so with our monorepo I think there is 28 packages, so you'd need to manually change every setting for each individual one. It would be nice to be able select all in the repo to set bump frequency or auto merge setting. ๐
from dependabot-core.
Closing in favour of the PR at #197.
from dependabot-core.
Related Issues (20)
- ArgumentError: comparison of Dependabot::NpmAndYarn::Version with nil failed HOT 1
- JSON::ParserError: unexpected token at ''
- NoMethodError: undefined method `requirements' for nil:NilClass
- Sign Dependabot container images HOT 2
- Dependabot couldn't fetch path-based dependencies (pip)
- NuGet. Passed `nil` into T.must (TypeError) HOT 3
- Config file: Support post script
- Sorbet Ruby setup fails due to frozen Gemfile.lock when updating gems in the /updater directory HOT 1
- Automatically run bin/tapioca gem when gem dependencies are updated HOT 1
- make Job class parse ignore_conditions into class instances immediately
- report suppressed MessageBuilder exceptions to the service HOT 2
- Grouped update PR includes no details about upgrades (part 2) HOT 10
- Unable to rebase
- Migrate native javascript helpers to use ecmascript modules
- For the PRs created with dependabot, in the PR description have a bunch or weird characters like there's an encoding issue
- Enable New RuboCop Cops
- Dependabot on Github Actions reporting Node 16 deprecation issue HOT 3
- Provide list or dashboard of Dependabot findings per team HOT 1
- [FR] "git subtree" support
- SAST HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.