Automate updates of all dependencies

Question

Automate updates of all dependencies

mhdawson opened this issue 2 years ago · 30 comments

UlisesGascon commented a year ago

Bravo!!

Answer 1 · 2022-08-26T20:37:44.000Z

FYI if you are not aware there is a PR to add a workflow for updating the timezone information: nodejs/node#43988.

Updating ICU itself is sometimes done together with V8 updates if V8 has bumped ICU versions.

Answer 2 · 2022-08-31T17:19:20.000Z

@richardlau thanks for pointing that out.

@RafaelGSS, @facutuesca maybe what we should focus on is looking at all of the dependencies, if upates are automated and if not identify which ones should be, and prioritize which ones we'd want to automate. (For example I think we had some discusssions around openSSL, but I think we should track/work on them as an overall program to ensure progress).

If that makes sense to you two I might update the title of this issue to be more about doing it in general for all of the dependencies.

Answer 3 · 2022-08-31T19:27:04.000Z

That makes sense to me.

Answer 4 · 2022-10-27T09:46:29.000Z

@mhdawson I'll start working on this (looking at all dependencies and see which ones we could update with a script). Should we change the title of the issue to match that?

Answer 5 · 2022-10-27T20:15:41.000Z

@facutuesca thanks, I've updated the title.

Answer 6 · 2022-10-27T20:21:15.000Z

I updated the first part of the issue to have the list of deps along with checkboxes. We can track progress there in terms of which ones we have automated versus not so far.

Answer 7 · 2022-10-27T20:22:31.000Z

@BethGriggs if you have any insight/suggestions of what we might need/want to include in the automation based on what you have leared about SALSA, that info would be good to factor into how we do the automation.

Answer 8 · 2022-11-02T10:27:02.000Z

@mhdawson

The following dependencies are already updated automatically via a Github action:

corepack (action and Makefile target)
eslint (action and script)
undici (action and script)

The following have a script + docs on how to update them (but no GH Action):

cares (script and docs)
llhttp (script and docs)
nghttp2 (script and docs)
npm (script and docs)

The following have only docs on how to update them:

base64 (docs)
cjs-module-lexer (docs)
icu-small (docs)
ngtcp2 (docs)
OpenSSL (docs)
V8 (docs)
zlib (docs)

Finally, the following don't have any docs/scripts/etc:

acorn
brotli
googletest
histogram
uv

Answer 9 · 2022-11-02T12:24:56.000Z

I'd go with the ones that are often updated, such as OpenSSL / ICU / zlib

Answer 10 · 2022-11-02T13:40:04.000Z

ICU doesn't update very often (about once a year), although we do now have an automated workflow for updating the timezone information (which updates more often) in the ICU data file.

I believe the npm team have their own automation to push npm releases into Node.js core.

Answer 11 · 2022-11-02T13:54:53.000Z

I'd agree that starting with the ones we update most often would be good, and in particular OpenSSL. I think we have a few starting points. I'd written up nodejs/node#42395 and I think that @RafaelGSS had also done some work on that front as well.

I also think that working on the list for which we have no instructions is also a priority as I see not having that documented as a risk we might get it wrong if we do have to do an update.

Answer 12 · 2022-11-02T13:55:25.000Z

@facutuesca and thanks for the good categorization, it's good to be able to look at the overall list like that.

Answer 13 · 2022-11-15T18:29:30.000Z

Root certificates is another thing we could add to the list: nodejs/node#45477
Update process: https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-root-certs.md

FWIW Adoptium have some automation for something similar for Termurin Java builds (thanks @sxa for the pointer 🙇): https://github.com/adoptium/temurin-build/blob/master/.github/workflows/ca-cert-updater.yml
I believe their version of mk-ca-bundle.pl differs from ours and they also have less information in their commit messages regarding the certificates removed/added or NSS version the update is based on.

Answer 14 · 2022-11-15T18:46:29.000Z

@richardlau thanks for pointing that out. I think starting with automating the root cert updates would be a good thing to start with.

Answer 15 · 2022-12-08T15:17:00.000Z

So far we have added:

Currently on review:

OpenSSL: nodejs/node#45605

cc @RafaelGSS

Answer 16 · 2022-12-16T19:44:29.000Z

@facutuesca thanks for progressing this and the update.

Answer 17 · 2023-02-21T17:32:18.000Z

we can update the list since nghttp2 is now updated with action with this pr nodejs/node#46700

Answer 18 · 2023-02-27T12:28:48.000Z

@marco-ippolito I've selected llhttp as completed, but IIRC we use a different major of llhttp on v16/v14, so this automation wouldn't solve all the lines.

Maybe bring this discussion up in the next security-wg call? We might find some ideas.

Note, the case of llhttp happens to OpenSSL and I assume to other libraries as well.

Answer 19 · 2023-02-27T15:30:31.000Z

Let's discuss about it in the next security-wg I'm happy to work on it

Answer 20 · 2023-03-21T18:57:46.000Z

feel free to edit if I made a mistake
update on dependecy status:

The following dependencies are already updated automatically via a Github action:

eslint
undici
cares
corepack
llhttp
nghttp2
npm
base64
ada
brotli
uv
acorn
ngtcp2
OpenSSL
zlib
cjs-module-lexer
googletest
uvwasi
V8 (patch)

The following have only docs on how to update them:

icu-small

Finally, the following don't have any docs/scripts/etc:

histogram (version header file missing I've opened a PR to include it)

Answer 21 · 2023-04-05T19:56:31.000Z

Root certificates is another thing we could add to the list: nodejs/node#45477 Update process: https://github.com/nodejs/node/blob/main/doc/contributing/maintaining-root-certs.md

Opened a PR for updating the root certificates: nodejs/node#47425

Answer 22 · 2023-04-05T19:59:18.000Z

@richardlau thanks! Great to see that automated.

Answer 23 · 2023-04-06T15:20:33.000Z

Hi everyone! As @marco-ippolito suggested, I'm currently working into uvwasi automation

Answer 24 · 2023-04-13T14:57:07.000Z

UPDATE from #945

Create a maintaining-overview.md

Answer 25 · 2023-04-19T14:47:01.000Z

histogram (version header file missing I've opened a PR to include it)

FWIW, the version header file is not necessary. You can take a look at my approach from nodejs/node#47482, which uses some git magic to figure out if anything changed between the latest upstream version and what's in the node repository. It doesn't actually matter what version is in the node repo. The only difference to nodejs/node#47482 is that for googletest, we follow HEAD, whereas for HdrHistogram_c we probably want to use the latest published release.

Answer 26 · 2023-04-26T14:49:42.000Z

Updated by github action:

acorn
ada
base64
brotli
c-ares
cjs-module-lexer
corepack
googletest
icu-small
llhttp
minimatch
nghttp2
ngtcp2
npm
openssl
postject
simdutf
undici
uv
uvwasi
V8
zlib
icu-small (wip: nodejs/node#47727)

Finally, the following don't have any docs/scripts/etc:

histogram (version header file missing I've opened a PR to include it)

PR for dependencies overview: nodejs/node#47589

One left to go 🥳

Answer 27 · 2023-05-12T09:42:31.000Z

There appears to be an issue with nghttp3 updates, see nodejs/node#47576 (comment).

Answer 28 · 2023-05-25T09:36:35.000Z

Last dependency update automation nodejs/node#48171

Answer 29 · 2023-05-30T08:38:00.000Z

and it's merged 🎉🎉🎉🎉🎉🎉 all the dependencies are automated 🥳