Is there any good tool to track dependency updates for elixir apps on github?
For Ruby i used to use Gemnasium, it was very good. I can’t find anything like that for Elixir. I don’t like Dependabot because it automatically generates PRs for each dependency update, and there is no option to skip PR and just send a notification. Notifications is all i need
If you run mix hex.outdated it will show a list of dependencies, what version you have and the latest version available.
Maybe you could rig a script to parse that on a schedule and send notifications out when current != latest. I could see something like that being doable with cron and ~100 lines of Bash.
Of course you can run mix hex.outdated. But when you have a few+ projects on github and you don’t touch them daily, you still want to know if dependency needs updating, especially for security reasons
Well, PRs are PRs, using them as notifications makes it look messy
Gemnasium used email notifications and a dashboard. It was quite informative and no noise in github PRs section. I wish there was something like that for Elixir
Considering they were all 7 days ago, I’m guessing the bot was just activated 7 days ago and those are the ones that are out of date. Should fix those. ^.^
If you close them, they stay closed. You can even tell the bot you don’t want to hear about further updates about a specific dep as well.
Huh?!? I’ve never seen such a section in github, what’s the github URL to such a thing?
This is from some public repo. It’s the reason I don’t use it, I don’t want my github to look like that. Besides i never update and deploy for each dep separately, so these PRs never get merged.
There once was hexfaktor by @rrrene, which he took down quite a while ago for legal reasons. It wasn’t GDPR compliant, and as it seems taking it off was the easier way, than to fix compliance.
Perhaps there is anything left in the repository you can use for you?
Another way might be to use GitHub actions on: cron: … as soon as they are publicly available or if you are already in beta, to run mix hex.outdated on a regular basis.
If you decide to do so, it would be nice to support hexpm/hex#714 and explain your usecase and how you would benefit from an output that is easier parsable than an aligned table.