Dependencies add reusable components
They increase productivity
Dependencies require updates
Focus on new code
Dependency updates prevent this
What now?
Ecosystem | Dependencies |
---|---|
NodeJS | package.json |
Java (Maven) | pom.xml |
Java (Gradle) | build.gradle |
Go | go.mod |
Python | setup.py |
Python (peotry) | pyproject.toml |
Ruby | Gemfile |
Rust | Cargo.toml |
Docker |
Dockerfile , [docker-]compose.ya?ml
|
…any many more!
Ecosystem | Dependencies |
---|---|
Docker |
Dockerfile , [docker-]compose.ya?ml
|
Kubernetes | *.yaml |
Helm | Chart.yaml |
…any many more!
Required tools, e.g. downloaded from GitHub releases
Versions stored in variables in scripts
The world is on fire
Update dependencies quickly
(Be prepared to) ship fast
Drive adoption of new versions
Know about remaining vulnerabilities
Check options for mitigation
All dependencies can an will introduce vulnerabilities
Younger version receive security updates
Updates can introduce breaking changes
Regular small updates over seldom large updates
…are too slow
…prevent other tasks
…are ignored until necessary
Can you spot possible updates?
Can you spot possible updates?
Outdated GitHub actions without pinning
Base image without digest pinning
Outdated version variable
Outdated go.mod for hello world
Outdated requirements.txt for Python tools
Open Source implemented in TypeScript
Clones repository and loads configuration
Searches in numerous places for well-known dependencies
Proposes update in pull/merge requests
Platforms: Azure DevOps (Server), BitBucket, AWS CodeCommit, Gitea/Forgjo, GitHub, GitLab
Datasources: crate, docker, git-tags, gitea-releases, github-releases, gitlab-releases, go, helm, maven, npm, nuget, pypi, rubygems (and dozens more)
Custom Managers for special use cases
Deployment options: GitHub App, Self-hosted
Powerful but complex
Initially many and/or breaking updates
Once settled in, smaller incremental updates
Merge Confidence supports merge decisions for many languages
Integration with GitHub and Dependabot to show updates addressing security alerts
Add renovate.json
for onboarding
Check pull requests
Check release notes
Check workflows
Renovate can merge automatically
Requires opt-in through configuration
Requires successful automated tests
Identify updates with low impact, e.g. patches, well-tested packages
Create package rules for automerging
Add package rule for specific cases
Enable automerge for them
Special use cases
Version must be injected into code, e.g.
FROM ubuntu:22.04
# renovate: datasource=github-releases depName=kubernetes/kubernetes extractVersion=^v(?<version>.+?)$
ARG KUBECTL_VERSION=1.28.2
RUN curl -sSfLO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
Ships with regex to match comment above and configure Renovate
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
":dockerfileVersions"
],
}
Now owned by GitHub
Tightly integrated but can run without GitHub
…focus on a single language
…broad support for languages
…is integrated in a specific platform
Offers 591 packages
Uses Renovate at scale
over 5.700 merged PRs
~9 PRs per day
90% merged after ~1min
98% merged after ~6min
Mitigation: Custom implementation of automerge
Name changes in GitHub release asset
Found 50 times in 10 months
Detector for GitHub glitches / outages
Acts as a status page for GitHub