Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
booi 3 days ago

Is there some sort of easy operational way to do this? There are well known tech companies that do this internally but afaik this isn't a feature of OSS registries like verdaccio

fclairamb 3 days ago | parent | next [-]

Renovate is a great (and free) tool to update your dependencies. By default it will update packages in the hours (often minutes) of their release but you can change that behavior with the minimumReleaseAge parameter.

https://docs.renovatebot.com/configuration-options/#minimumr...

jamietanna 3 days ago | parent | next [-]

Yep, Renovate's `minimumReleaseAge` is what you want here

Dependabot has recently added this functionality too - it's called `cooldown`

https://docs.github.com/en/code-security/dependabot/working-...

(I'm soon to be working at Mend on Renovate full time, but have been a big fan of Renovate over other tools for years)

jamietanna 2 days ago | parent [-]

For anyone following, we (Renovate maintainers) are making this an inbuilt "best practice" that users who already opt into using the `config:best-practices` preset will start getting for free!

https://github.com/renovatebot/renovate/pull/37967

Apfel 3 days ago | parent | prev [-]

The one big problem Renovate brings is when it automerges and breaks everything with e.g. a TypeScript upgrade. It's simple enough to handle and prevent but has required quite a lot of developer education for those who are not particularly frontend-focused in my experience.

jamietanna 3 days ago | parent [-]

Interesting, so you've enabled Renovate's automerge functionality for dependencies?

Renovate uses signals like your CI to work out whether things break before an automerge occurs - does that mean your CI didn't catch the breakage? Or something I've missed?

(there's also the "merge confidence" that can help here)

(I'm soon to be working at Mend on Renovate full time)

wallrat 3 days ago | parent | prev [-]

There are dependency firewalls that let you enforce this (e.g. https://docs.bytesafe.dev/policies/delay-upstream/). Don't know any OSS solutions though.