RFC: Streamline bumping dependent packages on GitHub

[dlqqq]

Problem: Users are unintentionally using older versions of node-gyp than the one included w/ NPM because their dependencies are resolving node-gyp to an older version. When node_modules/.bin/node-gyp is present, NPM always defaults to using that local version instead of the global version.

I'd like to start a discussion on this idea:

Is it possible to query the NPM registry, determine the dependent packages with the highest number of downloads, and then reach out to their GitHub repos to ensure that they bump node-gyp on every major release?

I've only entertained this idea for a short while, but it seems like contributors would have to:

• Find/write some script to find the largest dependents of node-gyp, (e.g. canvas).
• Write a GitHub app/workflow that bumps the declared version of node-gyp, and is triggered by every new major release of node-gyp.
• Reach out to the GitHub repositories of the largest dependents, and contribute this app/workflow.
• Finally, advertise this app/workflow to other repositories, so they can also keep their node-gyp versions up-to-date automatically.

While this doesn't guarantee that local versions of node-gyp will be up-to-date, this would significantly reduce the frequency of users reporting issues due to an older node-gyp version. This is because if multiple major versions of node-gyp are present, node_modules/.bin/node-gyp symlinks to the highest version of node-gyp.

Conclusion: For any package, just one dependency using the latest major version of node-gyp is sufficient. If this RFC were accepted, users will report outdated node-gyp versions far less frequently.

[cclauss]

https://docs.github.com/en/code-security/dependabot is the workflow that you are talking about and GitHub offers it free of charge to all open-source projects. There are numerous automated tools to keep deps in sync. (https://docs.renovatebot.com for example). Getting developers to implement these tools takes a ton of both time and patience.