Is it possible to run post upgrade script depending on the type of package manager?

[songkeys]

My requirement is to run npm audit fix or yarn audit fix etc after packages being upgraded.

So per the docs, I should use postUpgradeTasks:

  postUpgradeTasks: {
    commands: ["is_npm && npm audit fix",
               "is_yarn && npx yarn-audit-fix",
               "is_pnpm && pnpm update --depth Infinity", // https://github.com/pnpm/pnpm/issues/1153#issuecomment-725440377
               ],
    fileFilters: ["package-lock.json", "yarn.lock", "pnpm-lock.yaml"],
  },

But I need to know the type of package manager. How?

Side question: is there a way to change npm's version depending on which version of package-lock.json is? Since npm audit fix would change it but in npm@v7 it has a different structure.

The main reason I'm doing this is because #3080 is not supported yet. I need audit fix to workaround but seems that I got another problem.

Any suggestions? Thank you so much!

[viceice]

postUpgradeTasks only works on selfhosted renovate, you can use it in packageRules.

#3080 will be fixed soon.

[songkeys]

Thank you. I am using a self-hosted version. Is it suggested to wait for this to get implemented rather than configuring confusing options?

[jdbruijn]

See the renovatebot/github-action repo for self-hosted renovate information 😉

To elaborate on the packageRules, by all means I'm no expert but I think you should be able to use something like this, see JavaScript language.

{
  "packageRules": [
    {
      "matchLanguages": ["npm"],
      "postUpgradeTasks": {
        "commands": ["npm audit fix"],
        "fileFilters": ["package-lock.json"]
      }
    },
    {
      "matchLanguages": ["yarn"],
      "postUpgradeTasks": {
        "commands": ["npx yarn-audit-fix"],
        "fileFilters": ["yarn.lock"]
      }
    }
  ]
}

I don't see managers for yarn and pnpm so I'm not sure how that data would look like. Maybe you should use package rules based on files

[songkeys]

@jbreckel
Thank you for the helpful snippet. The matchLanguages should be matchFiles though. I posted my result below rarkins's answer.

[rarkins]

We don't currently distinguish between npm and yarn - they are considered the same manager. So both are language=javascript and manager=npm. You may be able to distinguish between them using "matchFiles": ["package-lock.json"] and "matchFiles": ["yarn.lock"] because matchFiles can be either package file or the lock file.

[songkeys]

@jdbruijn @rarkins Thank you so much! You helped me a lot.

I'm currently doing this in my packageRules:

  {
      matchFiles: ["package-lock.json"],
      postUpgradeTasks: {
        commands: ["npm audit fix"],
        fileFilters: ["package-lock.json"],
      },
    },
    {
      matchFiles: ["yarn.lock"],
      postUpgradeTasks: {
        commands: ["npx yarn-audit-fix"],
        fileFilters: ["yarn.lock"],
      },
    },

This works fine!

But the postUpgradeTasks is triggered for every package updated. I think the PR #8725 should fix this? Not sure if "upgrade based on branch" could result in being not able to find the location of the specified mathFiles (i.e. lock files in the sub-directories for monorepos.)

[rarkins]

It would hopefully find them per-update, combine and deduplicate them per branch, and then execute them all at once. Best if you follow along that PR instead of here though.