Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): Fix renovate lockfile maintenance #5955

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

build(deps): Fix renovate lockfile maintenance #5955

wants to merge 4 commits into from

Conversation

jacobmichels
Copy link

Description

I recently installed starship (at commit f353ab4ad1a4dcc9ca9268b3db0dc271842aab10) via cargo install starship --locked and received the following warning:

warning: package `ordered-multimap v0.7.1` in Cargo.lock is yanked in registry `crates-io`, consider running without --locked

I did not like to see that starship was being built with a yanked dependency.

I cloned starship/starship and ran cargo update --dry-run and found that there were many updates available in cargo.lock. I inspected starship's renovate config and saw that lockFileMaintenance is supposed to be enabled, which should have prevented the lockfile getting too stale, but it appears to be misconfigured.

{
    ...
    "packageRules": [
        ...
        // Update (rust) lockfiles weekly
        {
            "matchDatasources": ["crate"],
            "lockFileMaintenance": {
                "enabled": true,
                "extends": ["schedule:weekly"]
            }
        }
    ],
    ...
}

Renovate's docs suggest configuring lockFileMaintenance differently. I modified the renovate config to enable lockFileMaintenance on a weekly schedule and have it automerge. The renovate docs say automerging lockFileMaintenance is safe.

I also looked through renovate bot's PRs on this repo and verified that no lockfile maintenance PRs had been opened.

Motivation and Context

lockFileMaintenance is misconfigured, it should be fixed.

Screenshots (if appropriate):

How Has This Been Tested?

  • I have tested using MacOS
  • I have tested using Linux
  • I have tested using Windows

I am unsure how to test this.

Checklist:

  • I have updated the documentation accordingly.
  • I have updated the tests accordingly.

@andytom andytom changed the title fix renovate lockfile maintenance deps: Fix renovate lockfile maintenance May 2, 2024
@andytom andytom changed the title deps: Fix renovate lockfile maintenance build(deps): Fix renovate lockfile maintenance May 2, 2024
davidkna
davidkna reviewed May 12, 2024
View reviewed changes
Copy link
Member

@davidkna davidkna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have preferred to only update the cargo lockfiles and avoid bumping the npm lockfile for the docs.
But since only updating that isn't currently possible and since the docs have a basic build-check in CI now, this should be fine.

.github/renovate.json5 Outdated Show resolved Hide resolved
@jacobmichels
Copy link
Author

I'm unsure why the config schema up-to-date check is failing. I would attempt a fix, but the warnings give me no lead. Merging master in didn't fix.

davidkna
davidkna approved these changes May 15, 2024
View reviewed changes
Copy link
Member

@davidkna davidkna left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidkna davidkna davidkna approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jacobmichels @davidkna