How to automate NodeJS/npm dependency updates?

Question

I'm maintaining some large NodeJS applications(micro-services, apps), which consume many(at least 100+) dependencies. Updating those dependencies to fix a security vulnerability forces me to spend valuable development time.

Is there any way to automate package updates across repositories?
We're using GitLab for SCM.

I had thought of some options like:

Separating out core dependencies into a base level library.
Maintain a repository that specifies security-cleared dependency versions and repositories to be updated whenever the cleared list changes.

Any additional suggestions/examples?

Try using Dependabot, It is for GitHub, but I did see this => https://gitlab.com/dependabot-gitlab/dependabot — RedYetiDev, Mar 16 '21 at 18:58

the-petrolhead · Answer 1 · 2021-03-19T08:23:50.000

Just to help shortlist approaches mentioned in the question:

1. Separating core dependencies into a "Core" library.

This can reduce the number of updates. But the libraries based on "Core" sill still have their own dependencies, which may be prone to vulnerabilities and the update cycle must be repeated for them manually. This approach just procrastinate the manual updates.

2. Maintain a repository that specifies security-cleared dependency versions and repositories to be updated whenever the cleared list changes.

Couple of options here:
- Article on automating via pipeline scripts
  - GitHub: Use next-update + Hub CLI
  - GitLab: Use next-update + Lab CLI
- Implement dependabot-core(GitHub) or dependabot-gitlab(GitLab)
- Implement renovate.

How to automate NodeJS/npm dependency updates?

1 Answers1