Configure renovate for apk, gem, cargo, pip and npm dependencies #4588
Conversation
bdovaz
requested review from
nvuillam,
echoix and
Kurt-von-Laven
as code owners
🦙 MegaLinter status:
|
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ✅ API | spectral | 1 | 0 | 1.68s | |
| bash-exec | 6 | 1 | 0.01s | ||
| ✅ BASH | shellcheck | 6 | 0 | 0.14s | |
| ✅ BASH | shfmt | 6 | 0 | 0 | 0.54s |
| ✅ COPYPASTE | jscpd | yes | no | 3.24s | |
| ✅ DOCKERFILE | hadolint | 129 | 0 | 38.63s | |
| ✅ JSON | jsonlint | 20 | 0 | 0.28s | |
| ✅ JSON | v8r | 22 | 0 | 12.01s | |
| markdownlint | 267 | 0 | 302 | 21.13s | |
| ✅ MARKDOWN | markdown-table-formatter | 267 | 0 | 0 | 167.7s |
| bandit | 215 | 66 | 3.42s | ||
| ✅ PYTHON | black | 215 | 0 | 0 | 4.93s |
| ✅ PYTHON | flake8 | 215 | 0 | 2.03s | |
| ✅ PYTHON | isort | 215 | 0 | 0 | 1.54s |
| ✅ PYTHON | mypy | 215 | 0 | 15.57s | |
| ✅ PYTHON | pylint | 215 | 0 | 32.65s | |
| ✅ PYTHON | ruff | 215 | 0 | 0 | 0.83s |
| ✅ REPOSITORY | checkov | yes | no | 36.35s | |
| ✅ REPOSITORY | git_diff | yes | no | 0.95s | |
| grype | yes | 24 | 12.6s | ||
| ✅ REPOSITORY | secretlint | yes | no | 10.95s | |
| ✅ REPOSITORY | trivy | yes | no | 18.7s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | 0.27s | |
| trufflehog | yes | 1 | 54.27s | ||
| ✅ SPELL | cspell | 718 | 0 | 13.35s | |
| lychee | 349 | 29 | 66.2s | ||
| ✅ XML | xmllint | 3 | 0 | 0 | 0.97s |
| ✅ YAML | prettier | 160 | 0 | 0 | 3.96s |
| ✅ YAML | v8r | 102 | 0 | 14.53s | |
| ✅ YAML | yamllint | 161 | 0 | 2.95s |
See detailed report in MegaLinter reports
|
I can't manage to see the last files (for descriptors and renovate) on my phone, it's too big, but I'll try to take a look before or during this weekend (as I'd have to look on my computer). |
This is too impacting. It's not fine with me. The configuration format changed, and users have already adapted if they updated. We had some issues filed in this summer if I'm not mistaken, and some community member helped out a bit. You could take a look if you'd. |
|
This package: It only exists up to 3.18, after that it does not exist. Why without being pinned it doesn't fail saying that it doesn't exist? No idea, but as you can see, it does not exist. It was referenced here: |
I am no npm expert so I can't tell you the answer to why without being pinned (which I understand installs the latest version of each npm package) this library works if it explicitly says that with 9.x it doesn't work: And as I have posted, there is an issue where you can see that it is not supported: airbnb/javascript#2961 |
|
Wow, what a nice PR , bringing us closer to "bring your own flavor" that we'll build someday :) Agreed with @echoix , can't downgrade eslint ^^ About apk packages... I wonder if we really need to pin versions, especially those who are "core librairies" and linters: why wouldn't we want to have the latest, as no specific test cases depend on them ? I don't remember a case when we had to downgrade an apk package |
|
About eslint, as I say, if you have more experience than me in npm maybe you can explain me how to solve the problem I mention. And about the apk “core libraries”, why differentiate them and not be deterministic? We have renovate now. With this PR and all the PRs of #4543 I want to make the MegaLinter image 100% deterministic, I want that no matter if I build a Dockerfile today or a year from now, the result will be the same. |
|
@bdovaz do you mean you also want to be able to change python alpine base image version ? ^^ |
Maybe I am not making myself clear. I mean that NO reference to any image or package is unpinned. This way you get deterministic results, that's all I mean. It is clear that you will not be able to change the versions at will in your flavor for free because some are cascaded as the most core ones: alpine version, python version, ... But at least as I say, it assures you the security of determinism. |
|
It's kinda ok to have apk packages pinned, but in a package manager environment like that you don't really have the choice on what versions to install. The whole ecosystem is updated to work together. Alpine keeps only one version of each, per os version. You can't change. But having the version in there helps illustrate what was there at that time. Maybe using I'm pretty sure that we would need to update all the apk packages versions all at once with renovate, possibly at the same time as the alpine versions. That will also mean that we would have to adjust all these pins at the same time we change Python+alpine version (the base image). |
Effectively, we have to use: https://docs.renovatebot.com/configuration-options/#groupname Although there is this problem: Which gives the conflict that it would take “2 runs”. One that changes |
|
I would also appreciate if you could answer me / help me to unlock and merge this PR as soon as possible because it is very important and the more time passes, the more conflicts may arise because many files (descriptors and python core scripts code) have been touched. |
Do we try to fix dotnet linters and release a patch before this? |
Yes, sure, I mean merge it after releasing the patch for the .NET 9 issue. |
@nvuillam @echoix about this eslint 9.x vs 8.x topic... I have been testing and I would say that we were already on 8.x even if you think we were on 9.x.... Look: With this Dockerfile: The result of And instead with this Dockerfile: It does not work: Which is why I was telling you that I had to downgrade from 9.x to 8.x, although as I show you, it is not really a downgrade but we were already on 8.x. And without pinning it seems that by installing N dependencies in a single command it is “smart” in the sense that it is able to calculate which maximum version of each dependency it can install based on the dependencies/requirements of the rest. And it calculated: 8.x |
|
Does that mean that we don't have the same eslint versions in our different images? But anyways, in that case, I agree with you for the downgrade (if it is what the users already have). So, after publishing the patch release, it could be ok to merge this PR. I know it's a lot of work |
This is the conclusion that I have come to, which is more dangerous because it depends on the flavor that you use, it may solve a different version of a package as in this case. With this PR we are sure that all will have exactly the same version. cc @nvuillam |
|
Maybe removing a plugin is less disruptive if the version in a major flavor is higher |
build.pyI have moved the definition toconstants.pyand editedrenovate.json5to add a new regular expression very similar to the previous ones.ARGare generated in Dockerfile because now there were problems with the multi-stage/layer build and I had to solve problems that depending on the scope I was in, certainARGdidn't exist.cli_docker_image_versionparameter, since it is a special case that instead ofARG(image generation time), it uses it in execution and requires thatENVexpanded.eslintfrom 9.x to 8.x because there is some other package that required that library to be in8.x. This problem did not occur when the dependencies were not pinned because I imagine thatnpmwould be “smart” in that sense and would be able to establish which one is the right one.{PACKAGE_SYSTEM]_{PACKAGE_NAME}_VERSIONcriterion. Examples: APK_ICU_LIBS_VERSION, NPM_ESLINT_VERSION, ...I do not know if I have left something without pinning but there are so many things that has been a huge work.... I would appreciate help after merging this PR in case I have left something... Some of them were difficult to detect as the ones added through
build.pywere more hidden.