Skip to content

Keeping template dependencies safe #87

New issue
New issue
Open
Open
Keeping template dependencies safe#87
Labels
good first issueGood for newcomershelp wantedExtra attention is needed
@dkundel

Description

@dkundel
dkundel
opened on Mar 24, 2020

I think we should invest in some automation that keeps the dependencies safe.

Right now we can use Dependabot to keep top level dependencies up-to-date but not the nested ones for the templates themselves. My suggestion is the following:

  1. Add every dependency that exists in any template as a devDependency for the root package.json
  2. Create the same automation that we use in github.com/twilio-labs/sample-template-nodejs that will run tests on PRs and if they pass and the PR came from Dependabot it will automatically be merged
  3. Create a script that can read the root package.json and update all the nested package.json accordingly
  4. Create a GitHub action that is triggered on push to master that will run the script from (3) and commit any needed changes

Possible concerns/issues:

  • What happens when Dependabot does package-lock.json updates? Should we be concerned or only rely on semver. Most of those are nested deps anyways meaning we don't have control over them

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueGood for newcomershelp wantedExtra attention is needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions