Notifications about app dependencies updates

Is there any good tool to track dependency updates for elixir apps on github?

For Ruby i used to use Gemnasium, it was very good. I can’t find anything like that for Elixir. I don’t like Dependabot because it automatically generates PRs for each dependency update, and there is no option to skip PR and just send a notification. Notifications is all i need

If you run mix hex.outdated it will show a list of dependencies, what version you have and the latest version available. The output looks like this: https://twitter.com/nickjanetakis/status/1124085534106771457/photo/1

Maybe you could rig a script to parse that on a schedule and send notifications out when current != latest. I could see something like that being doable with cron and ~100 lines of Bash.

4 Likes

Those PR’s are the notifications, how else would you expect to get them? It will even auto-close them if you update manually as well. :slight_smile:

1 Like

Of course you can run mix hex.outdated. But when you have a few+ projects on github and you don’t touch them daily, you still want to know if dependency needs updating, especially for security reasons

Well, PRs are PRs, using them as notifications makes it look messy

image

Gemnasium used email notifications and a dashboard. It was quite informative and no noise in github PRs section. I wish there was something like that for Elixir

Considering they were all 7 days ago, I’m guessing the bot was just activated 7 days ago and those are the ones that are out of date. Should fix those. ^.^

If you close them, they stay closed. You can even tell the bot you don’t want to hear about further updates about a specific dep as well.

Huh?!? I’ve never seen such a section in github, what’s the github URL to such a thing?

This is from some public repo. It’s the reason I don’t use it, I don’t want my github to look like that. Besides i never update and deploy for each dep separately, so these PRs never get merged.

This is an old screenshot from Gemnasium, service that tracked ruby gems updates for your project. It was bought by Gitlab and closed. https://docs.gitlab.com/ee/user/project/import/gemnasium.html

Nothing like that for Elixir

They’ll all be closed once you update. No matter the amount of commits it took.

2 Likes

Precisely, and the bot keeps the PR updated with the latest commits as well, and will close it if you yourself manually update.

1 Like

Write up a little Bash script to run it on a schedule or some other custom tooling.

About ~5 years ago I wrote a Ruby gem called Gemshine that recursively ran the hex outdated equivalent on all of my Rails projects. It didn’t report contextual things like security reasons on why to update, but it showed a list of dependencies for each project and it made keeping track of a bunch of project dependency upgrades really easy. Run 1 command, wait a few seconds and see what to upgrade.

Something like that would address your problem of:

But when you have a few+ projects on github and you don’t touch them daily, you still want to know if dependency needs updating

There once was hexfaktor by @rrrene, which he took down quite a while ago for legal reasons. It wasn’t GDPR compliant, and as it seems taking it off was the easier way, than to fix compliance.

Perhaps there is anything left in the repository you can use for you?

Another way might be to use GitHub actions on: cron: … as soon as they are publicly available or if you are already in beta, to run mix hex.outdated on a regular basis.

If you decide to do so, it would be nice to support hexpm/hex#714 and explain your usecase and how you would benefit from an output that is easier parsable than an aligned table.