Node dependencies management

[yeraydavidrodriguez]

We have had some internal discussions on how to manage node dependencies in a safe, error-free way, without having to consume too much time.

General Dependencies update approach

Currently, dependabot warns us about new versions in the dependencies, as described in the package.json file. And also, we use yarn as the project package manager.

Those two facts gives us some alternatives on how to manage the dependencies. The most obvious ones are:

1. We use the Pull Requests created by dependabots to apply new updates. Also, we have two methods for doing so:
   1.1. We use github's branch merge button to make it fast and quick
   1.2. We use manual rebase+merge to apply the updates
2. We just use yarn upgrade command to apply all (or just a subset) of the updates and we manually close dependabot's issues after doing so (although they should be automatically closed by dependabots after applied).

Both options have caveats and things to consider:

1.1. Github merge/rebase buttons has issues regarding commit signatures. We do not use them in "regular" code PRs, so we shouldn't use it for dependency updates.
1.2. Manual rebase+merge of each one of the dependencies update can be very time consuming, specially as dependencies grow larger.
2. yarn upgrade honors the version range specification in the package definition file, while dependabot proposes all kind of updates. This means that, if we specify "only minor updates" in our package.json (something very usual), some dependabots PRs won't be applied just by using yarn upgrade

After a discussion with @josecelano , we though that the option 2 is the most adequate, but we should use yarn upgrade --latest. Then, manually close any dependabot update already applied with this (should be all, usually)

Issues and branches

Dependencies updates should be in an independent branch, as any other code modification. We propose reusing always the same issue and the same branch for dependencies update. That way we have a dependency update history (issue) and a consistent updates branch that can be used for automation. If a dependency breaks the code (i.e, does not compile or the tests do not pass), it should be solved in a separate, specific issue.

The updates steps

Given everything, the process of dependencies updates would be as follows:

General update (roughly once a week):

• Create the branch (using always the same name)
• Execute yarn upgrade --major
• Execute tests
• If tests do not pass or do not compile, exclude update that causes it to solve it a separate issue
• Create PR as usual
• Merge+rebase as usual
• Write a comment on the update issue to list all the dependabots PRs applied in this update iteration
• Affected dependabots PR should be closed after applied, or close them manually

If a security alert is warned by dependabot (critical security vulnerability)

• Proceed immediately with the same workflow, but only with the update that patches it. Maybe using a specific issue?

Please, @josecelano , @da2ce7 , @ivanramosnet , make your comments and amends on all this.

[josecelano]

hi @yeraydavidrodriguez thank you for the good summary!.

I want to add that I do not remember why we decided not to use the dependabot PRs directly.

A `dependanbot's commit looks like:

commit 8d3203a9c270ed8939de92c721973c7d2c29cdfc
gpg: Signature made jue 03 feb 2022 13:40:17 WET
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Can't check signature: No public key
Author:     dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Thu Feb 3 13:40:17 2022 +0000
Commit:     GitHub <[email protected]>
CommitDate: Thu Feb 3 13:40:17 2022 +0000

Note: you can import the public key to avoid the "Can't check signature: No public key"

I think the original reason was that we wanted to have all commit signed. But all commits are signed anyway by the GitHub bot. I suppose it does not matter if we sign them with our bot GPG key or the GitHub GPG key, does it? Unless we want to sign commits with our GPG key I do not see any problem anymore.

The could have been also a misunderstanding. When we merge a PR we lose the original author commit signature if we use "rebase and merge" option because GitHub creates new commits even if FF is possible. The new commits have the GitHub bot signature. But I suppose no matter what merge strategy we use we still have at least the bot signature.

In the future we are planning to have at least two branches main and develop and we want to merge into main only with our bot. That could be the reason. In this case, maybe we can change the dependabot configuration to merge into develop and later on use our bot account.

Anyway, we have to decide if it still makes sense or not. Becuase definitively it's a slower and more painful way to do it.

[josecelano]

I've just found out why we did not want to use the dependabot:

The dependabot sets the committer to the logged-in user without any signature. I did not remember it. I was assuming it was the opposite, the committer was the bot and the author the logged-in user.

$ git show --pretty=fuller --show-signature 3787ed9b8e643913415dd5484cf215a37e368e26
commit 3787ed9b8e643913415dd5484cf215a37e368e26
Author:     dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Tue May 17 00:33:05 2022 +0000
Commit:     Jose Celano <[email protected]>
CommitDate: Tue May 17 09:11:37 2022 +0100

    build(deps): bump actions/setup-node from 3.1.1 to 3.2.0
    
    Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.1.1 to 3.2.0.
    - [Release notes](https://github.com/actions/setup-node/releases)
    - [Commits](https://github.com/actions/setup-node/compare/v3.1.1...v3.2.0)
    
    ---
    updated-dependencies:
    - dependency-name: actions/setup-node
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...
    
    Signed-off-by: dependabot[bot] <[email protected]>

[josecelano]

I've rebased that commit:

$ git show --pretty=fuller --show-signature 7f0a6bd72195528a643f6151a70c2b928c5e258b
commit 7f0a6bd72195528a643f6151a70c2b928c5e258b
gpg: Signature made mar 17 may 2022 10:17:37 WEST
gpg:                using RSA key 76BF41FD8C0589E1D5288B29E7279F2518CA55C6
gpg: Good signature from "Nautilus Cyberneering [bot] (Online Key) <[email protected]>" [ultimate]
Author:     dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
AuthorDate: Tue May 17 00:33:05 2022 +0000
Commit:     Nautilus Cyberneering [bot] [josecelano] <[email protected]>
CommitDate: Tue May 17 10:17:37 2022 +0100

[josecelano]

This is another commit example where the dependabot commit was merged (with merge commit). In this case, the commit appears verified. The commiter is the GitHub account and the author is me. Even if I have the "vigilant mode" enabled the commit does not appear partially verified. Maybe just because it was the logged-in user.

commit a268c5c77d98fead0bdc97feb2162e48a02493f5 (HEAD -> main, origin/main)
gpg: Signature made mié 25 may 2022 08:38:26 WEST
gpg:                using RSA key 4AEE18F83AFDEB23
gpg: Good signature from "GitHub (web-flow commit signing) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5DE3 E050 9C47 EA3C F04A  42D3 4AEE 18F8 3AFD EB23
Merge: 91ab341 166f027
Author:     Jose Celano <[email protected]>
AuthorDate: Wed May 25 08:38:26 2022 +0100
Commit:     GitHub <[email protected]>
CommitDate: Wed May 25 08:38:26 2022 +0100

    Merge pull request #112 from Nautilus-Cyberneering/dependabot/pip/pyjwt-2.4.0
    
    build(deps): bump pyjwt from 2.3.0 to 2.4.0