Tools: Proposal: Use Greenkeeper to keep updated dependencies

@abdonrd thanks for sharing, I've never heard of this before.

• Breaking dependency notifications sounds nice.
• New major dependency notifications sounds nice.
• I'm almost certain we'll still need a human to do actual dependency updates just because it's not that black and white. For example there are several polymer-cli dependencies that are purposefully not at the most latest version. Also our test coverage isn't at 100% so I wouldn't trust our PR CI on its own. Also also, coordinating @types/ dependency updates probably isn't automated.

I'd be down to try this out just for the breaking dependency tracking, maybe in one repo to start. @justinfagnani @rictic @usergenic wdyt?

It sounds like there's always a human in the loop. We should take care when merging, but it doesn't seem unreasonable on the face of it.

It will have the side effect of pushing more work into updating code in google3. We'll also want a graceful way of handling cases where we're intentionally not on the latest version (e.g. wct doesn't want to upgrade to the latest lodash because it would be really disruptive for downstream clients, instead we have a longer term plan to drop the dependency entirely).

👍

@rictic It does have version pinning available.

Version pinning now available. You’ve got stuff to do, we understand. Sometimes you simply have to make a pragmatic trade-off between fixing your build for the breaking update or just pinning the working version so you can get back to it later. Our bot can respect that.

See more here Hackception/polymer-starter-kit#13

Greenkeeper it's in the GitHub marketplace: github.com/marketplace/greenkeeper

https://twitter.com/github/status/925852262366359552

Another option is https://renovateapp.com/ which https://github.com/GoogleChromeLabs and @robdodson are using.

I'm also using Greenkeeper for some of our WICG repos. I think Renovate works well for mono repos, and Greenkeeper works well for individual repos.