npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@jamietanna/renovate-graph

v0.24.0

Published

A tool to export the dependency graph from [Renovate](https://docs.renovatebot.com/), while not requiring repo onboarding to Renovate, and allows a straightforward means to discover your dependency tree.

Downloads

1,162

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

jamietannajamietanna

Keywords

Readme

Renovate Data Exporter

A tool to export the dependency graph from Renovate, while not requiring repo onboarding to Renovate, and allows a straightforward means to discover your dependency tree.

Note If you're currently using Renovate already, this may not be worthwhile using as-is, and instead you could use the Renovate debug logs for this, which can still be imported using the dmd CLI (v0.20.0 and above).

From v0.20.0, any repo configuration will be followed, but disabling of dependency scanning (i.e. via enabledManagers or packageRules will be ignored.

Usage

Install the package with:

# to invoke with `npm exec renovate-graph`
npm i @jamietanna/renovate-graph
# to invoke with `renovate-graph`
npm i -g @jamietanna/renovate-graph

A single repository

Running the following:

renovate-graph --token $GITHUB_COM_TOKEN jamietanna/jamietanna

Will create the file out/jamietanna-jamietanna.json.

Autodiscovery (with a filter)

Running the following:

renovate-graph --token $GITHUB_COM_TOKEN --autodiscover --autodiscover-filter 'jamietanna/*'

Will create the files out/jamietanna-jamietanna, out/jamietanna-disARM, etc.

Using the local platform

Since Renovate 35.76.0, it's been possible to use Renovate's local platform to run Renovate against a local directory, without requiring a full Git checkout.

From a directory - possibly without a .git folder - you can then run:

env RG_LOCAL_PLATFORM=gitlab RG_LOCAL_ORGANISATION=jamietanna RG_LOCAL_REPO=jamietanna renovate-graph --platform local

This requires the following environment variables to ensure the metadata is correct:

  • RG_LOCAL_PLATFORM: The platform that this local directory is for
  • RG_LOCAL_ORGANISATION: The organisation that this local directory is for. Can include a / if a nested organisation
  • RG_LOCAL_REPO: The repository name that this local directory is for
  • RG_EXCLUDE_REPOS: A comma-separated list of repositories to exclude from the scanning. Must be an exact match, of the format $org/$repo, i.e. jamietanna/jamietanna or gitlab-org/sbom/generator

Specifying a directory for the data

By specifying the OUT_DIR environment variable, we can tune where the output will go. For instance, running the following:

env OUT_DIR=../data renovate-graph --token $GITHUB_COM_TOKEN jamietanna/jamietanna

Will create the file ../data/jamietanna-jamietanna.json.

Filtering the data into SQLite

The data can be converted to an SQLite format using the dmd CLI.

Running as a GitHub App

To simplify the means to authenticate, as well as more easily discovering repositories that you wish to retrieve data from, this has support for running as a GitHub App.

The App needs to be created with the following permissions:

  • Contents: Read only
  • Issues: Read only
  • Metadata: Read only

Then, when running this, you will need to set the following environment variables:

RG_GITHUB_APP_ID='...'
RG_GITHUB_APP_KEY='-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA4XmSD...'
RENOVATE_USERNAME='renovate[bot]'
RENOVATE_GIT_AUTHOR='Renovate Bot <29139614+renovate[bot]@users.noreply.github.com>'

# may only be required if you're using this as a library, not an executable
RG_GITHUB_APP_INSTALLATION_ID='...'

Additional configuration

There are also the following configuration options for further operability:

  • RENOVATE_REQUIRE_CONFIG defaults to optional with renovate-graph. To prevent the disabling of managers, which could limit the amount of data that can be retrieved by renovate-graph, while allowing the use of custom regexManagers or otherwise, we explicitly ignore enabledManagers and packageRules in a given repo.
  • RG_DELETE_CLONED_REPOS=true: After checking the dependency data for each repo, immediately delete it. This will slow execution of renovate-graph, but will allow running when using large repositories or against a large number of repositories and organisations that could lead to exhaustion of disk space
  • RG_INCLUDE_UPDATES=true: As well as parsing the dependency tree, also receive the list of updates that Renovate can see across your dependencies. This is opt-in as it can lead to considerably slower executions of renovate-graph due to needing to hit the network much higher for dependency updates.
  • RG_INCLUDE_LOCKFILES=true: Parse the lockfile data that Renovate discovers, but does not initially load into the discovered package data. Prior to v0.21.0, this was default behaviour.

License

As this is heavily modified code from Renovate itself, this project is licensed in the same was as Renovate - AGPL-3.0.