Renovate now supports updating Dockerfile
Docker image digests
One important way that Docker registries differ from npm is that Docker users mostly reference tags, and tags are not immutable, meaning that not only might (will) the
node:8 tag change (i.e. what you get today with a Docker pull is not the same as you might get tomorrow) but also tags that look like full versions (e.g.
node:8.7.0) may also change, if the image publisher wishes to do so. Whereas in npm, a fully specified version is always immutable and won’t change on you one day (whether accidentally, deliberately, or maliciously).
Docker registries do support immutable tags in the form of digests. Instead of using a tag like
selenium/node-chrome:3.6.0 you can instead use
selenium/node-chrome@sha256:d99b4622b4329bbb563fd1b66c7f6e4b3255394112cb369ca12c8cdc631bc689. This way you are guaranteed the underlying image won’t change, but it’s not really human-friendly.
The good news is that it doesn’t really need to be human-friendly if humans no longer have to update these FROM lines by hand, and instead use Renovate. <ore good news is that Docker does actually allow you to use both a tag and digest in a FROM line to make it more human-friendly, even if the tag is completely ignored. i.e. you can actually use
Renovate’s default behaviour is therefore to “pin” digests, so that any changes to the underlying image that you pull is therefore deliberate, traceable and revertible.
If you use a plain image name without tag, e.g.
node, it will be updated to
If you use an image name with tag, the digest will be added. e.g.
node:8.7.0 will become
node:8 will become
If you prefer to avoid using digests altogether, you can add
"pinDigests": false to your
Once you have pinned digests to your image/tag source, Renovate will keep checking if that tag has a new digest available and raise PRs accordingly.
Therefore you’ll still get updates for your desired tags as they’re available, but instead of them appearing unannounced and potentially breaking your Docker image, instead they will appear as Renovate Pull Requests so that you are aware that something changed and can accept or reject accordingly.
Renovate also now supports upgrading tags, if those tags include a recognisable semver-like scheme.
node:6.10 would receive PRs for
node:8.7.0 would receive a PR for
node:8.7.1 if/once it’s released. This is supported in addition to the digest updating behaviour described above, although digests have been left off these examples for brevity.
Importantly, Renovate also tries to understand tag suffixes. e.g. if your existing docker image is
node:8.6-onbuild then Renovate is smart enough to suggest to you
node:8.7-onbuild and not any other 8.7 upgrades.
Version updating is not enabled by default in Renovate currently. If you wish to try it out, you can add
preview:dockerVersions to your
extends array in
Note the current caveats:
There is no way to turn off the suffix matching (e.g.
-onbuild) so if someone tagged images like
4.0.0-alpha.1then you will not receive a PR for
4.0.0-alpha.2as that would be considered a different suffix.
Renovate cannot yet differentiate between stable and unstable based on version numbers, e.g. if you run
node:6then you will get offered
node:8as Renovate doesn’t know that odd numbers mean unstable
Renovate has no rules for LTS vs non-LTS, e.g. it will propose
node:8as an upgrade to
node:6is LTS while
node:8is just stable
Similar caveats with
ubuntu, e.g. it might propose
17.04as an upgrade from
Mostly these caveats are harmless, i.e. you can simply close any unwanted upgrades and they won’t be suggested again.