in GitLab, a PR may be open while the branch itself has been removed. We cant just assume that the branch exists because the PR does, even if it’s an edge case.
* Revert "fix: disable reusing existing package-lock.json when upgrading (#1530)"
This reverts commit 2728e39963.
* switch from —package-lock-only to —ignore-scripts
Removing `--package-lock-only` option from npm installs due to https://github.com/npm/npm/issues/19852
Pretty sure this fixes#1495
Compile the semanticCommitScope with handlebars to ensure any
substitutions such as {{depName}} are correctly parsed and replaced.
Closes#1504
Signed-off-by: Adam Moss <adam.moss@bcs.org.uk>
Check if a lock file already exists in the current *branch* and if so then use it as the base for generating the new lock file and not the master one. Ensures that simple rebases result in same result.
Closes#1481
Adds support for running `lerna bootstrap` instead of `npm install` or `yarn install` (without Workspaces), hence allowing support of internally-linked dependencies.
Closes#1441, Closes#1443
Adds a config option to bot administrators called `exposeEnv`, for cases where repositories are trusted. If set to true, the bot's full `process.env` can be used for `.npmrc` variable substitution and is passed to child processes when generating lock files. Disabled by default, including in the App.
This PR adds the capability to renovate more than one base branch at a time. For instance, a project may have their released `3.x` version on `master`, while an upcoming `4.x` is being prepared using branch `next`. `4.x` might have a quite different set of dependencies (e.g. some removed or some added) so it's not appropriate to only target `master` and keep rebasing, as it will get messy. Instead, it's necessary to target both `master` and `next` to keep both updated.
Closes#1279
Previously, Renovate would attempt to keep a branch up to date even if users had edited it. e.g. adding commits on top of the existing branch if newer versions were released. Now, Renovate adds a warning comment if a user has edited a branch, making it clear that responsibility for the branch is over to them and how they can undo this.
Closes#653
When 404 or 422 errors are encountered writing updates, Renovate will now restart in an attempt to fix it. Usually this is because branches/PRs have been edited or closed while Renovate is running.
Closes#1299
This feature enables signing of git commits on GitHub. To achieve this, Renovate must be configured with a gitPrivateKey in format supported by openpgp. There must also be a gitAuthor configured to enable this feature.
Closes#897
This PR adds the capability to specify a custom author for git commits on GitHub. Setting this field will mean GitHub uses this value for author and commit instead of the token’s identity. For instance if you are running hosted mode you may set the gitAuthor to “Renovate Bot <bot@renovate.com>” to have commits appear as coming from the renovate-bot account.
If we have in a package.json links to some local lib file:../path/to/folder
Then the local lib package.json will be copied to the tmp folder to be able to generate the right yarn lock file. This is not working with tgz files, only folder reference.
Closes#1215
Remove original getFile, getFileContent, and getFileJson and replace with getFile (which used to be getFileContent.. shortened now for convenience). Also remove unused getSubdirectories functions.
Renovate already detects PRs mistakenly closed during a certain time period when a bug was present. Now, it will rename those so that they are no longer detected and the ignore code does not have to remain indefinitely.
Previously, upgrades with failing lock files were not raised as PRs. Usually this is because of missing private module configuration. Now, Renovate will raise a PR but add a comment warning of the error, with the error log. It's raised as a comment because we now won't need to regenerate the lock file error every run, and we don't want to "lose" it if the PR description gets updated.
Closes#600
This feature adds a new behaviour to Renovate, where it will now add a comment to any existing closed PRs that are "blocking" currently valid updates. A new API function "ensureComment" has been added, its purpose is so we can ensure there exists only one comment with a certain subject/heading. This lets us prevent duplicates as well as update existing, without having to keep state about it. ensureComment needs porting to gitlab, but should be quite easy.
By default, Renovate will now continue *updating* - but not creating - branches even if off-schedule. This applies to features such as (a) rebasing branches if master changes, (b) updating if new version comes, (c) creating PRs if tests pass, (d) automerging. It is planned that (b) will be configurable in a future feature. To disable this behaviour altogether, set updateNotScheduled to false.
Closes#879
Previously, Renovate assumed that any yarn workspaces configuration would be in the root of the repository. Now, workspaces can be located within a subdirectory, e.g. `frontend/`. Note: Renovate still supports only one workspace per repository, please file an issue if you require more than one.
Closes#842
Now adds `stdout` and `stderr` from `npm` and `yarn` installs to the "Generated lockfile" log message, so that the exact versions of npm and yarn can be known in the default logs.
Closes#827
This fix improves the way Renovate detects embedded/installed npm and yarn. It tries:
- locally installed npm or yarn
- npm or yarn embedded inside globally installed renovate
- globally installed npm or yarn
- global `yarn` or `npm` commands as fallback
Fixes#824
Renovate will now depend on yarn like any other dependency and call this version directly, instead of having an embedded version. This will allow us to "renovate" the yarn version we use too.
- Any package names not matching valid pattern will be rewritten to “dummy”
- “engines” and “scripts” fields will be completely removed
Closes#801, Closes#784
This feature adds initial support for renovating Dockerfiles. Renovate now:
- Detects all `Dockerfile`s in repo
- Searches for `FROM x` in first non-comment line, breaks x into image, tag, digest
- Queries public Docker registry for image:tag combination to find latest digest
- Patches Dockerfile if necessary
- Creates branches/PRs as like with npm
Closes#795
This feature adds support for renovating Meteor's `package.js` files. Meteor config is disabled by default so must be manually enabled to work. If enabled, Renovate uses GitHub's search API to look for any files named `package.js` that include the text `Npm.depends`. If so then the file is parsed using Regex to extract its dependencies and check them for updates.
Closes#785
If a repository has a lock file error (e.g. can’t look up a private module) then it will no longer attempt to create every branch. Instead, it will error/exit after the first branch. Additionally, “Pin Dependencies” has been sorted to be first and further branches won’t be added or updated until Pin Dependencies has been merged.
Renovate config can now support the fields `npmToken`, `npmrc` and `yarnrc`. `npmrc` and `yarnrc` (note no `.` prefix) can be used as an alternative to checking the respective files into the repo and have the same effect. `npmToken` is a shorter alternative and allows for just the npm token to be added, defaulting to the public npm registry.
Previously, the automerge feature was causing some undesirable behaviour when multiple branches were open at the same time. Example: #707. The main problem is that other branches will still be calculated based on the original `package.json` contents and not the post-merge contents. The simplest solution seems to be:
- Stop all subsequent branch processing after any automerge
- Restart repository renovation
This continues until no branch has automerged in a cycle.
Closes#750
This feature adds explicit support for correctly generating the yarn.lock file for workspaces. Specifically, it means that the yarn.lock in the root directory is regenerated whenever *any* package.json is modified. Previously lock files were only every updated if its corresponding package.json changes, but that is not the way yarn workspaces works.
Closes#473
This is a major refactor of branch code to prepare for Yarn workspaces plus creating PRs for branches with failing lockfiles. Marked as "feature" to cause a minor version bump due to the moderate chance of accidentally breaking something.
tmpDir is now created once per-repository and package.json files are written and lockfiles generated based on the repo's directory structure. This way node_modules can be reused between branches in same run.
Closes#501
Refactored the `automerge` field to change it to boolean. Existing string will be migrated to new config. Automerging lock files is now possible by adding `”lockFileMaintenance”: { ”automerge”: true}` to config.
Closes#706
It was a mistake to enable this feature by default, and should be disabled. A check has been made to set the status to “success” if it was previously “pending” and the setting is now false. This should also cover the case when someone enables it and then disables it.
Fixes#667
Renovate now adds a status check renovate/unpublish-safe that has the following behaviour:
If any upgrade in the branch is < 24 hours old then the status check state is "pending"
If all upgrades in the branch are 24 hours or more old then the status check state is "success"
This is able to be disabled via a new option "unpublishSafe".
Closes#494
No need for {{semanticPrefix}} to be specified in templates now - it will be implicitly added to start of commit message and PR titles if semanticCommits=true
We now check branch protection configuration for the repository's base branch to see if branches must be kept up-to-date. If so then we check Renovate branches for rebasing even if rebaseStalePrs is not set to true.
Closes#524
We should not rebase stale PRs if they have been edited any anyone. This adds a check from the PR to see if it can be rebased. If no PR then we assume we can - nobody should be editing our branches directly without PR.
Closes#525
A repository with .yarnrc specifying pure-lockfile was preventing our yarn from saving a lockfile too! Now filter it out before writing the yarnrc to our tmp directory.
Closes#507
Renovate now uses an embedded yarn binary. This way, the version of yarn used can be known + there is no requirement for Renovate admins to install yarn separately.
This removes the need to JSON.stringify() objects in logs. Default bunyan fields plus our custom meta fields are stripped out, and everything else is stringified in the details field.
Closes#498
Schedule logic has been refactored to enable the pruning of all orphan branches.
Now, schedules aren't checked at package-time, instead package upgrades are queued regardless of schedule.
At branch time, it is checked whether the *branch* is scheduled and then the branch is not created/updated if it's off-schedule.
This enables the repository worker to know all possible branches and hence be able to determine which remaining branches in the repository are "orphans" to be deleted.
Closes#428, Closes#426
A separate routine is run after branch creation to detect any branches that should be deleted. A branch will be removed if:
- It was not created by renovate in the last run, AND
- It has no PR, or its corresponding PR is not mergeable
Closes#426, Closes#428
This starts off [#359](https://github.com/singapore/renovate/issues/359) (configurable status checks) but only implements one sub-feature of it: disabling status checks to allow automerge if tests fail or if no tests are present.
This feature now allows a custom schedule to be defined for lock file maintenance. It is now enabled by default but runs only before 5m on Sundays. Closes#399
BREAKING CHANGE: lock file maintenance is enabled by default.
Rules will apply to both yarn and npm (npm is yet to be implemented however). Existing mainainYarn* variables are removed and replaced by new lockFileMaintenance object.
