Automating npm updates with a bot

[ruyadorno]

It has been brought to our attention that the usage of an automated bot to help us keep the npm cli up to date in the Node.js repo might be against the project's policies. With that in mind we (the @nodejs/npm team) would like to make sure we bring the issue over to the attention of the TSC in order to get an explicit approval for the usage of a bot that will automatically open PRs updating npm to its latest published version.

The goal here is to make sure the npm cli gets timely updates in the node repo while also reducing the amount of manual work required from both the npm team and node collaborators.

Related to the conversation started in one of the npm update PRs: #38831 (comment)

cc @aduh95

[MylesBorins]

The idea of automating the opening of dependencies has been discussed in the past. I am +1 for this bot, although I obviously have a conflict of interest.

[devsnek]

+1, automate all the things!

[Trott]

the usage of an automated bot to help us keep the npm cli up to date in the Node.js repo might be against the project's policies

I'm not sure which of our (far too) many policies you are referring to specifically, but I think the relevant text here is the last paragraph in https://github.com/nodejs/admin/blob/fd1d625612b36ba527fd290b767984841c4093fe/GITHUB_ORG_MANAGEMENT_POLICY.md#use-of-bots-and-services:

Automation tools such as bots and third-party services on any repository must be approved by the TSC and CommComm and are subject to regular security audits.

I don't think there's any codification about what the required approval looks like, and I'd be content with @-mentioning the two groups here, getting a few +1 comments from each, and no -1 comments. (And if we get a -1, that group can talk and maybe vote.)

@nodejs/tsc @nodejs/community-committee

[Trott]

+1 to a bot that would open a PR for this, dependabot-style.

(I'd have more questions about a bot that did much more than that (such as automatically land such PRs) but I don't think that's what we're talking about.)

[danielleadams]

+1 to this purely for moving the npm releases into the latest node releases as efficiently as possible.

[Trott]

I saw a PR for updating npm opened by a bot so I think we can close this. If I'm wrong, comment and/or re-open.

[ruyadorno]

hi @Trott, the goal here was to make sure we get explicit approval from the tsc to keep using the bot, since in a previous PR (from that same bot) it was brought up that its usage might be against the project's policies.

[targos]

@ruyadorno Many TSC members upvoted #38879 (comment) and #38879 (comment). What kind of explicit approval would you like to have?

[Trott]

Would it suffice to have this mentioned at a TSC meeting, and documented in minutes?

I don't think we need a vote or anything. So far in this issue, 8 TSC members (out of 22 current members) provided a supportive comment or emoji reaction: Trott, targos, danielleadams, MylesBorins, mcollina, BridgeAR, aduh95, tniessen. None have expressed any concerns.

[ruyadorno]

What kind of explicit approval would you like to have?

ah, good question 😅

Would it suffice to have this mentioned at a TSC meeting, and documented in minutes?

I think this suggestion from @Trott sounds like a great alternative 👍

[tniessen]

This was discussed in a previous TSC meeting: nodejs/TSC#1037

* Automating npm updates with a bot [#38879](https://github.com/nodejs/node/issues/38879)
  * Wanted to document in the minutes that its ok.
  * No objections from those in the meeting, Myles will follow up separately on any policy related
    stuff.

[Trott]

Going to optimistically close this issue but re-open if there's more to be done and I'm closing too soon.