[renovate] enable lock file maintainance or increase its frequency if it's already on

[pichlermarc]

Since package-lock.json is now tracked it's also updated with renovate bot PRs. We should possibly enable lock-file-maintainance in the renvoate bot config (or if it is already enabled, bump the frequency at which it creates those PRs) now that we track it though. This'll enable us to catch problems earlier and therefore with a smaller lock file diff.

Originally posted by @pichlermarc in #4255 (comment)

[trentm]

I wonder what version of npm renovate uses for that regeneration of "package-lock.json". If it is a npm 9 or greater, this might result in bumping the lockfileVersion from 2 to 3. Here are some notes on lockfileVersion values: open-telemetry/opentelemetry-js-contrib#1771 (comment)

For that PR in the contrib repo, I've set lockfile-version=2 in .npmrc to stick with 2 for now -- mainly because that's a lockfileVersion that the default npm that comes with Node.js v16 knows about.

Does anyone else have experience with, or thoughts on whether this repo should move to lockfileVersion: 3?

[trentm]

or increase its frequency if it's already on

It is off by default per https://docs.renovatebot.com/configuration-options/#lockfilemaintenance so I'm guessing it is not currently on.

[pichlermarc]

I wonder what version of npm renovate uses for that regeneration of "package-lock.json". If it is a npm 9 or greater, this might result in bumping the lockfileVersion from 2 to 3. Here are some notes on lockfileVersion values: open-telemetry/opentelemetry-js-contrib#1771 (comment)

that's a good point, thanks for bringing this up!

For that PR in the contrib repo, I've set lockfile-version=2 in .npmrc to stick with 2 for now -- mainly because that's a lockfileVersion that the default npm that comes with Node.js v16 knows about.

We do have some tests (specifically for API backwards compatibility) that run on Node.js v8 which only supports up to npm 6, which in turn, only supports lock file version up to 2 as they're backwards compatibile to lock files version 1.

Does anyone else have experience with, or thoughts on whether this repo should move to lockfileVersion: 3?

I think we should also make this repo stick to lock file version 2 to for the reason of supporting Node.js v8 to v16 in tests

[pichlermarc]

I added the line to use lockfile version 2 in #4275, it'll be beneficial to the developer experience to have it there in case the lock file is re-generated during development and it makes it into a PR - we woudn't want to have it be v3 then.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

[github-actions]

This issue was closed because it has been stale for 14 days with no activity.