renovate VS yalc

There is no built-in Renovate Bot on a self-hosted GitLab. What can we do to set it up and enjoy all the benefits of automatic dependency updates?

> Yes, it is awesome until you have to sysadmin it, apply updates, patch it, fix security holes, etc. I am not saying all self-hosted solutions are like that. There are exceptions. However, the majority of open-source self-hosted solutions require a lot of extra work.

I'm currently self-hosting 10 different applications on my local server, which represents everything I've ever seen that looked fun or useful to me. Every one of them had a Docker image with an example compose file, which means updating them just requires periodically running Renovate [0] on the repo that stores all my compose files and then running a script that docker compose pulls the updates. It takes maybe 10 minutes every other week, and is actually kinda fun.

It helps that all the apps are only accessible from within my VPN, so I'm not too worried about fixing security updates within a tiny time window.

[0] https://github.com/renovatebot/renovate

This is a big deal! Where did you read this? I found:

https://github.com/renovatebot/renovate/discussions/26917

Renovate is an automated dependency management tool that can be used to keep your dependencies up-to-date. It can be configured to automatically create pull requests to update your dependencies, and it supports a wide range of package managers and platforms.

To get started with Mend Renovate, the comprehensive official documentation provides detailed instructions on installation, configuration, and best practices. Additionally, the Mend Renovate community forum offers a platform for users to connect, share experiences, and access the collective knowledge base.

It is a good practice to keep software up to date. To track changes in upstream software, we can utilize automatic dependency tracking systems such as Dependabot or Renovate. This is a broad topic and requires a separate article to be covered. If you would like to read about it, please vote in the comments section below.

So do other forges: I have Renovate [0] set up on my self-hosted Forgejo and it's worked great so far.

[0] https://github.com/renovatebot/renovate

You can ease some of the burden for yourself though using tooling. If you are using GitHub, dependabot can be configured to make automatic PRs to your repo whenever there are dependencies to update. If you're not a GitHub user, you can use renovate which even supports self hosting.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

Yalc

Yalc - Makes it easy to mock-publish NPM packages and try them in real projects before you publish a new version to NPM.

As well as yarn/npm link mentioned in another comment, https://github.com/wclr/yalc can help with some of this, depending on your workflow/how much you're doing this.

Ah okay, that's much easier. Clone the project repo, make your changes and build the library, then in the react app, either add the local project directory as a dependency, or use something like yalc to add the locally built dependency. This will allow you to use the local copy of the library instead.

Lets look at a concrete example and then maybe we can discuss alternatives.

In this particular case, I would respond with the following:

1. I don't see why this is a problem. Have an "open PRs" link in the onboarding handbook that gives you a view of pull requests from all repos in the organization. GitHub automatically shows you notifications from all repos.

- Have a (Grafana) dashboard where you can see the latest / newest stuff. Use standard GH tools you use for OSS, such as follows etc to keep up.

2. Don't prematurely split into multiple libraries. "No monorepo" doesn't mean not having poly-package repos. It means thinking what the sensible API boundary is - treating your projects as you would treat library development. In this case a separate repo with lib3, lib2 and lib1 sounds like a good way to go - at most one repo per orthogonal internal framework (e.g. core-react-components).

3. Help other teams upgrade. If you are responsible for repo A, once you publish a new version and tag it with semver appropriately, use the dashboard to look at your dependants and work with them (or rather, for them) to upgrade. Think of your dependants as internal customers, and make sure you add enough value for them to justify the upgrade effort.

4. There are other alternatives to `npm link` e.g. see `yalc` https://github.com/wclr/yalc

yalc makes it easy to use locally-developed packages in other projects. It has some other useful options that I didn't mention here; read more about them on the project's README. Hopefully, this helps you get started developing with local packages––good luck!

You can also use yalc which is like an npm store on your engine.. https://github.com/wclr/yalc