My son was peering over my shoulder this evening as I ran some “simple” dependabot updates on some simple Laravel web applications that I run.
I started trying to explain what I was doing and why, and as I did so I realised all the many, many things you have to understand for this process to make sense.
- My web projects have many “dependencies”
- A dependency is a bit of code that someone else wrote that I use in my project
- Other people can update their bits of code that I use
- When other people update their code, I have to update my copy of their code (my dependency)
- Sometimes this is important for security – to stop bad things happening to my website/app
- There are tools called “dependency managers” that help me do this
- That JSON file is a list of the dependencies and the version numbers of those dependencies that I want
- SEMVER and the constraints notation
- Actually there’s another JSON file. That’s for some other dependencies.
- Some dependencies are “in” my app. Others are tools that help “build” my app.
- Some dependencies are JavaScript, and some are PHP
- The composer CLI
- The npm CLI
- What is a CLI
- Using CLI history to do things quicker
- Git (this is a whole list of its own)
- GitHub
- shell aliases
- Pull Requests
- Dependabot
- Hosting
- “Deployments”
It’s just _bonkers_ how much tech knowledge is wrapped up in this. And yet all I really do is:
npm updatecomposer updatenpm run buildgca -m "updates"gp
And then check everything works and the PRs get closed. (I prefer to do this rather than just merge the dependabots).
Wow!