🏗📦 Switch renovate updates for amphtml from opt-in to opt-out

[rsimha]

When renovate was originally installed to keep amphtml dependencies up to date, only the root package.json was opted in.

Since then, various developers have added a bunch of new package.json / pom.xml files without opting them in to automatic updates. This frequently results in security vulnerabilities due to outdated dependencies.

This PR removes the includePaths section of .renovaterc.json and enables automatic updates for the following files:

• package.json
• extensions/amp-viewer-integration/0.1/messaging/package.json
• extensions/amp-access/0.1/iframe-api/package.json
• validator/package.json
• validator/gulpjs/package.json
• validator/java/pom.xml
• validator/nodejs/package.json
• validator/webui/package.json
• third_party/amp-toolbox-cache-url/package.json
• build-system/tasks/storybook/package.json
• build-system/tasks/visual-diff/package.json
• build-system/tasks/performance/package.json
• build-system/tasks/e2e/package.json
• src/purifier/package.json

I'll merge this after checking with the respective owners on whether automatic updates are desirable, and if not, we can add specific files to ignorePaths.

With this, security vulnerability reports for AMP should become less frequent.

[rsimha]

I've checked boxes in the PR description for the files that we know can be kept up to date. Adding a few WGs to review the rest. Let me know if it's okay for these files to be kept up to date by renovate. If not, we can opt them out.

• @ampproject/wg-access-subscriptions:
  • extensions/amp-access/0.1/iframe-api/package.json
• @ampproject/wg-runtime:
  • extensions/amp-viewer-integration/0.1/messaging/package.json
• @ampproject/wg-caching:
  • validator/gulpjs/package.json
  • validator/java/pom.xml
  • validator/nodejs/package.json
  • validator/webui/package.json
• @ampproject/wg-analytics:
  • third_party/amp-toolbox-cache-url/package.json

[twifkak]

validator/gulpjs/package.json and validator/nodejs/package.json LGTM.

For validator/java/pom.xml and validator/webui/package.json I need more information. How does Renovate bot work? Does it only do patch-level updates? Does it do minor/major updates, too, as long as PR checks pass?

(I'm trying to avoid cc'ing honeybadger since they've already got enough on their plate. I may have to... we'll see.)

[rsimha]

Does it only do patch-level updates? Does it do minor/major updates, too, as long as PR checks pass?

@twifkak the default answer to both these questions is yes. However, we can adjust things to make the updates less frequent, or group them up if you prefer. See the renovate docs for more info. The main goal is to prevent security vulnerabilities from sitting around for long (as is currently the case with the Java Validator).

/cc @rcebulko as an FYI, in light of ampproject/amp-github-apps#284 (comment)

[rsimha]

Bumping this PR for input from all the working groups. The option I am considering right now is to enable updates for all these sets of packages and fine tune later as the updates start coming in.

The reason this is slightly urgent is that we currently have a bunch of security vulnerabilities that are easily prevented once this PR lands.

[honeybadgerdontcare]

//cc @GeorgeLuo for validator/java/pom.xml

[honeybadgerdontcare]

approved for validator change. asking @GeorgeLuo to approve in comments for Java validator.

[rsimha]

Merging this PR so we can quickly address existing security vulnerabilities.

Owners of individual package files: If you want to opt out of updates for a package file, add it to ignorePaths in .renovaterc.json.

[jpettitt]

extensions/amp-access/0.1/iframe-api/package.json is fine to keep up to date