Skip to main content

πŸ“„ Dependency Management Strategy

This guide outlines the API3 DAO strategies for managing dependencies of our actively maintained repositories. Each repository's "Dependencies Owner" is tasked with implementing these strategies, ensuring the continuous health, stability, and security of their projects.

Introduction​

Maintaining up-to-date dependencies is crucial for the security, functionality, and performance of our projects. This document outlines our comprehensive strategy for managing updates, handling breaking changes, and ensuring the smooth operation of our repositories.

See: https://github.com/api3dao/tasks/issues/1855 for details.

Key Decisions​

  1. Dependency Update Tool: We use Renovate, configured to check for updates on a two weeks or monthly basis, depending on the project's requirements and team's capacity.

  2. Dependencies Owner: Designated individuals, known as "Dependencies Owners," are responsible for the regular monitoring and managing of updates in their assigned repositories. Their role is to ensure that dependencies are current and that upgrades do not break existing functionalities. Assignments consider the individual's capacity and familiarity with the repository. The role of the dependencies owner may rotate among team members to diversify knowledge and experience within the team. The dependencies owners for each actively maintained repository are documented in actively maintained repositories.

  3. Update Strategy: Our approach is both aggressive and balanced. We aim to be proactive in updating dependencies to leverage the latest features and security patches, but we exercise caution with new releases that lack widespread adoption or have known issues.

  4. Semantic Versioning: We adhere to semantic versioning (semver) guidelines, starting from 1.x as 0.x versions can introduce breaking changes. This practice assists in making informed decisions about updates, especially concerning major version changes that could introduce breaking changes.

  5. Internal Dependencies: We won't delay development or releases of our utility repos because they are used in other internal projects. Coordination, proper versioning, and scheduled releases manage these dependencies effectively.

  6. Testing: We emphasize the need for robust testing practices. This approach ensures that we are not hesitant about merging dependency updates. If necessary, we will enhance testing protocols to maintain confidence in our updates and overall project stability.

Setting Up Renovate​

Effective dependency management requires a strategic approach to updates, tailored to each project's needs. Renovate helps automate this process, but it's crucial to set it up correctly to align with our dependency management strategy.

  • Install Renovate: Add Renovate to your project by installing it as a GitHub app. Configure Renovate by including your repository in its settings to ensure it functions seamlessly within your project’s environment and CI/CD pipeline.

  • Create Renovate Configuration: Generate a renovate.json file in your repository's root. This file is central to customizing Renovate's behavior. Given the tool's flexibility, different projects might have distinct configurations reflecting their specific update rules, schedules, and operational preferences.

  • Customize Update Rules and Schedule: Within renovate.json, define the types of updates you want to apply (e.g., automatic patch updates, minor/major version updates, specific package updates). Also, establish an update schedule that aligns with your project maintenance cycle. For a two weeks schedule, you might use "schedule": ["every 2 weeks on Monday"], or for a monthly update, "schedule": ["on the first day of the month"]. This practice ensures that updates are systematic and predictable, fitting into your team's workflow and the broader dependency management strategy.

  • Notification and Review Process: Configure Renovate to notify the "Dependencies Owner" when it creates Pull Requests. This setting ensures the responsible individual or team reviews and merges the changes, maintaining oversight of project dependencies.

  • Monitor and Adjust: After the initial setup, observe the Pull Requests Renovate generates. It's important to verify that Renovate's actions align with your expectations and project requirements. If they don't, refine the renovate.json configurations. This ongoing adjustment optimizes Renovate's performance and ensures your project's stability and security.

Remember, the goal of automated dependency management is to streamline updates efficiently and safely. Balancing automation with informed, manual oversight achieves this, keeping our projects healthy and up-to-date.

Feedback and Continuous Improvement​

We recognize that effective dependency management is an iterative process that requires the collective insight of all team members. We encourage feedback, suggestions, and active participation from the team to continuously refine and improve this strategy.

Owner: UNKNOWN
Last updated on by Warren Anderson