Modernising and securing Joplin, one package at a time

If you watch the Joplin source code repository, you may have noticed a lot of Renovate pull requests lately. This Renovate tool is a way to manage dependencies - it automatically finds what needs to be updated, then upgrade it to the latest version, and create a pull request. If all tests pass, we can then merge this pull request. So far we have merged 267 of these pull requests.

Updating Joplin packages was long due. It is necessary so that we don't fall behind and end up using unsupported or deprecated packages. We also benefit from bug fixes and performance improvements. It is also important in terms of security, since recent package versions usually include various security fixes.

We used to rely on a tool called "npm audit" to do this, however it no longer works on the Joplin codebase, and it was always risky to use it since it would update multiple packages in one command - so if something went wrong it was difficult to find the culprit.

Renovate on the other hand upgrades packages one at a time, and run our test units to ensure everything is still working as expected. It also upgrades multiple instances of the same package across the monorepo, which is convenient to keep our code consistent. It also has a number of options to make our life easier, such as the ability to automatically merge a pull request for patch releases since this is usually safe (when a package is, for example upgraded from 1.0.1 to 1.0.3).

Although Renovate automates the package upgrades it doesn't mean all upgrades are straightforward - our tests won't catch all issues, so the apps might end up being broken or cannot be compiled anymore. So there's manual work involved to get everything working after certain upgrades - for the most part this has been done and the apps appear to be stable so far.

This will however be an important part of pre-release 2.10 (or should it be 3.0?) - we hope that everything works but we may need your support to try this version and report any glitch you may have found. As always pre-release regressions have the highest priority so we aim to fix them as quickly as possible.


Neat. Do these piles of updates include updating Chromium? There are some CSS things I'd like to do that I think could be solved by :has(), but it's apparently not until v105 that it becomes supported.

For now we'll keep manually updating Electron because past releases had many breaking changes so we need to manually test.

Recent releases have been better though, so perhaps we could enable automatic updates at some point

Great to see this happening, keeping a decently large codebase up-to-date is a chore, but oh so important. When do you think we'll see a prerelease to kick the tires of?

(And unless there's a big, backwards incompatible, API or plugin breaking change... I'd say stick with 2.x)

1 Like

that would also keep mermaid up-to-date, wouldn't it?

can't wait for newest version to try mindmap :slight_smile: (it required v9.2.2)

Just checked, the bot fails to update automatically and apparently it's more complicated than a simple version number, but yes, I would assume it is included

Thosee mindmaps look great though, very simple syntax and still very customisable!

thx for checking what makes him fail?

I have absolutely no idea, I'm not one of the devs, I just went hunting because I was curious...

No problem, I thought you some details, as you checked the bot

I guess you will get it in the next pre-release(or release)

1 Like