Update the packages inside a Dockerfile

[micheelengronne]

According to hadolint and the Docker documentation, we should pin packages in a Dockerfile

https://github.com/hadolint/hadolint/wiki/DL3008
https://github.com/hadolint/hadolint/wiki/DL3016
https://github.com/hadolint/hadolint/wiki/DL3018
https://github.com/hadolint/hadolint/wiki/DL3013

Renovate should be able to change the packages versions according to a repository or a list of repositories.

Currently, I wildcard to the major version of each package.

[rarkins]

Yes, but first we need to make sure we already have datasources for those, e.g. alpine packages.

Ones like npm would be easier as we already have great npm support.

[micheelengronne]

Yes, but npm we can easily circumvent by importing an external package.json with its lock (yarn.lock or other).

That is not possible with system packages like apk and deb.

[rarkins]

Agreed. I was just mentioning that because "npm install" is one of the hadolint examples you gave. I would prefer to start on apk/deb too

[adam-moss]

For alpine you can use http://dl-cdn.alpinelinux.org/alpine/ as the data source. Note alpine doesn't appear to keep old versions of products, only the latest is present in the repo.

[adam-moss]

It would be nice if we could include yum support too :)

[micheelengronne]

I think that the datasources should be configurable as users can configure other repositories than the default with more recent packages in them.

[fullstackzach]

I would be interested in this feature too, for alpine-linux package updates

[rarkins]

@fullstackzach can you give an example Dockerfile or line in particular?

[rarkins]

As a workaround it should be possible to add a custom rule using our new regex-based manager: https://docs.renovatebot.com/modules/manager/regex/
However potentially new datasources are needed first. So far this feature request is short on examples so not possible to be sure.

[HonkingGoose]

Do we need other stuff before we can begin? New datasources maybe?

I also get the impression that we're waiting on examples given this comment from rarkins:

fullstackzach can you give an example Dockerfile or line in particular?

Maybe we should label this blocked if we're waiting for examples/input from other users?

Also I'm not sure what priority label to give this, so I'll let the Renovate team decide.

[rarkins]

I think we can close this. Reasoning:

• Datasources need to exist, and probably most already do. Any extras should have their own issue for tracking
• It's unlikely we can accurately detect install patterns on our own without sacrificing accuracy, so it's better to use Dockerfile annotations like we do here: https://github.com/renovatebot/docker-renovate-full/blob/master/Dockerfile
• Updating annotated packages is possible already with the regex manager, here are some examples: https://github.com/renovatebot/.github/blob/cf278491c92f78960db271c34d58522051aedfc3/default.json#L105-L120