Use automation in order to keep Kibana's dependencies up to date

[mistic]

As our project has a considerable amount of external dependencies it's not easy to keep them up to date. In @elastic/kibana-operations we have already talked about using some automation tools to help us get this job done and one of the options to accomplish this is Greenkeeper.

The issue aims to track the developments on this matter.

PS: @azasypkin asked today if we have any plans in mind to implement a thing that help us keep our dependencies up to date so I believe it is a requested feature 😃

[azasypkin]

Thanks for considering this!

Right now in cases when we want to use the latest & greatest version of some packages, but it's hard to update entire repo due to large amount of breaking changes, we just resort to yarn aliased packages and end up with dependencies like "hapi-latest": "npm:hapi@17.5.0" (3 major versions behind) and "lodash-latest": "npm:lodash@4.17.10" (one major behind) accompanied by @types/*-latest packages. It allows us to gradually migrate code to the latest library and eventually switch something-latest to something, but may significantly increase the size of distributable packages.

Maybe there is a better interim solution for that?

/cc @weltenwort

[jinmu03]

@joshbressers this is the Greenkeeper

[jinmu03]

@mistic @tylersmalley here is more context of why we need Greenkeeper and how we should leverage it.

Below is from Brandon's comment about our current vulnerable scanning.

I usually spend and hour or two a week going through the security vuln flag results to make sure that nothing particularly nasty needs to be addressed, and researching whether we're actually vulnerable or not given our usage of the library. I haven't made it through the entire list yet, but I've generally prioritize the list by what the software considers to be the highest severity.

This manual remediation process is a rather significant effort, so if we could implement GreenKeeper to address what can be automatically ugpraded, it'll definitely help us in that regard.

There will likely be quite a few libraries that require manual intervention to address, mainly when there are breaking changes introduced by upgrading the library, or some other remediation strategy is required. If we could implement a process to track the need for these dependencies to be upgraded and the team that should be responsible for addressing it (if it's not the security team) I can help with the triaging and assignment process, I just need somewhere to track all of this.

[janl]

Heya, Team Greenkeeper here and big Kibana fan (👋). Let us know if there is anything specific we can help with.

For now, Greenkeeper supports ignoring dependencies that you know you don’t wanna touch for the moment. That allows you to ease into usage with only the things you can manage. And then after you get on top of everything, including the big ticket items, you benefit from finding security issues even faster.

In addition, if you pin your deps and Greenkeeper opens an issue notifying you about a major new version, you can just close and ignore that issue.

If there is anything else that might be useful, do feel free to reach out any time: support@greenkeeper.io

[tylersmalley]

I am going to close this since we have begun using Renovate.