External dependencies

Note

Not invented here (NIH) is the philosophy of social, corporate, or institutional cultures that avoid using or buying already existing products, research, standards, or knowledge because of their external origins.

It’s encouraged to use external dependencies that are well maintained. It exempts d-centralize from the burden of maintaining custom code.

Note

”Functionality is an asset, code is a liability.”

Of course, it doesn’t prevent us from contributing.

Locking

It’s important to prevent bit-rot in projects. If a project successfully builds today, chances are that it’ll not work anymore in a couple of months if dependencies are not tied to a certain version that is known to work.

Dependencies defined in a project have the requirement to be locked on the major and minor version. The micro version may be loosely defined.

Bumping policy

Bumping is the process of tracking new upstream versions.

When a d-centralize project is under development, it’s good to track the latest upstream versions.

When a d-centralize project is in production, any new version of an external library may introduce incompatibilities. Therefore, there’s no good reason to bump, except for gaining bug fixes that currently affect us.

Auto-update with Renovate

For any dependencies that do not need to be locked, it’s recommended to keep them up-to-date with Renovate.

Renovate is a bot that runs as a global CI job and scans projects for outdated dependencies. If your project is eligible, you will see an initial Merge Request to activate Renovate for your project by generating a renovate.json file. After merging it, Renovate will scan your dependencies daily and create a Merge Request for any outdated ones. Learn more about Renovate in the official documentation.

You can either accept or skip the update by following the instructions in generated Merge Requests.

Additionally, configure Renovate for your specific repository by modifying the renovate.json file. Configuration options are provided here.