External dependencies

Note

Not invented here (NIH) is the philosophy of social, corporate, or institutional cultures that avoid using or buying already existing products, research, standards, or knowledge because of their external origins.

It’s encouraged to use external dependencies that are well maintained. It exempts d-centralize from the burden of maintaining custom code.

Note

“Functionality is an asset, code is a liability.”

Of course, it doesn’t prevent us from contributing.

Locking

It’s important to prevent bit-rot in projects. If a project successfully builds today, chances are that it’ll not work anymore in a couple of months if dependencies are not tied to a certain version that is known to work.

Dependencies defined in a project have the requirement to be locked on the major and minor version. The micro version may be loosely defined.

Bumping policy

Bumping is the process of tracking new upstream versions.

When a d-centralize project is under development, it’s good to track the latest upstream versions.

When a d-centralize project is in production, any new version of an external library may introduce incompatibilities. Therefore, there’s no good reason to bump, except for gaining bug fixes that currently affect us.

Auto-update with Renovate

For any dependencies that do not need to be locked, it’s recommended to keep them up-to-date with Renovate.

Renovate is a bot that runs as a global CI job and scans projects for outdated dependencies. If your project is eligible, you will see an initial Merge Request to activate Renovate for your project by generating a renovate.json file. After merging it, Renovate will scan your dependencies daily and create a Merge Request for any outdated ones. Learn more about Renovate in the official documentation.

You can either accept or skip the update by following the instructions in generated Merge Requests.

Shared defaults

Every scanned repository inherits a shared global config, applied by the runner through RENOVATE_CONFIG_FILE. It already provides the config:recommended preset, a one-week minimumReleaseAge, automerge of minor and patch updates, lock-file maintenance, and custom managers that track hand-pinned tool versions (for example # renovate:-annotated _VERSION values in .gitlab-ci.yml, Dockerfiles, and shell scripts). You get all of this without adding anything to your repository.

Sensible default for your repository

Because the shared defaults apply globally, keep your renovate.json minimal and use it only for repository-specific overrides:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json"
}

Add packageRules only for what is specific to your repository, such as a dependency that must not auto-update:

{
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    { "matchPackageNames": ["postgis/postgis"], "enabled": false }
  ]
}

Do not re-extend the global config from your repository:

{ "extends": ["local>dc/dcentralize/renovatebot:renovate_global_config.json5"] }

The runner already applies that file to every repository. Pulling it back in as a repository preset re-imports runner-only options such as autodiscover and detectHostRulesFromEnv into repository scope, where they are meaningless and trip RENOVATE_FATAL_WARNINGS. For everything you can override, see the configuration options.