Dependencies add reusable components
They increase productivity
Dependencies require updates
Focus on new code
Dependency updates prevent this
What now?
Ecosystem | Dependencies |
---|---|
NodeJS | package.json |
Java (Maven) | pom.xml |
Java (Gradle) | build.gradle |
Go | go.mod |
Python | setup.py |
Python (peotry) | pyproject.toml |
Ruby | Gemfile |
Rust | Cargo.toml |
Docker |
Dockerfile , [docker-]compose.ya?ml
|
…any many more!
Ecosystem | Dependencies |
---|---|
Docker |
Dockerfile , [docker-]compose.ya?ml
|
Kubernetes | *.yaml |
Helm | Chart.yaml |
…any many more!
Required tools, e.g. downloaded from GitHub releases
Versions stored in variables in scripts
SBOM is an inventory of dependencies
Provides visibility
Can be matched against known vulnerabilities
Choose dependencies wisely
Update dependencies quickly
(Be prepared to) ship fast
Drive adoption of new versions
Know about remaining vulnerabilities
Check options for mitigation
All dependencies can and will introduce vulnerabilities
Younger version receive security updates
Updates can introduce breaking changes
Regular small updates over seldom large updates
…are too slow
…prevent other tasks
…are ignored until necessary
Can you spot possible updates?
Can you spot possible updates?
Outdated GitHub actions without pinning
Base image without digest pinning
Outdated version variable
Outdated go.mod for hello world
Outdated requirements.txt for Python tools
Open Source implemented in TypeScript
Clones repository and loads configuration
Searches in numerous places for dependencies
Proposes update in pull/merge requests
Platforms: Azure DevOps (Server), BitBucket, AWS CodeCommit, Gitea/Forgejo, GitHub, GitLab
Datasources: crate, docker, git-tags, gitea-releases, github-releases, gitlab-releases, go, helm, maven, npm, nuget, pypi, rubygems (and dozens more)
Custom Managers for special use cases
Deployment options: GitHub App, Self-hosted
Powerful but complex
Initially many and/or breaking updates
Once settled in, smaller incremental updates
Add renovate.json
for onboarding
Check pull requests
Check release notes
Check workflows
Renovate can merge automatically
Requires opt-in through configuration
Requires successful automated tests
Identify updates with low impact, e.g. patches, well-tested packages
Create package rules for automerging
Add package rule for specific cases
Enable automerge for them
Nothing out-of-the-box
Filter log for errors / failures for…
Check for failed pipelines
Check for failed automerges
Failures will show in the log
Create and analyze SBOM
Special use cases
Version must be injected into code, e.g.
FROM ubuntu:22.04
# renovate: datasource=github-releases depName=kubernetes/kubernetes extractVersion=^v(?<version>.+?)$
ARG KUBECTL_VERSION=1.28.2
RUN curl -sSfLO "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
Ships with regex to match comment above and configure Renovate
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
":dockerfileVersions"
],
}
Merge Confidence supports merge decisions
Based on data collect from countless PRs on GitHub
Supported ecosystems: Go, JavaScript, Java, Python, .NET, PHP, Ruby
Age of the package
Adoption percentage for other Renovate users with this release
Passing percentage of updates with successful checks
Confidence calculated by proprietary algorithm
Show updates addressing security alerts
Requires GitHub and Dependabot
Enable GitHub Dependency Graph
Configuration changes will break Renovate
Factor out the change
Test in a separate repository
(Optionally) run Renovate manually for speed
Do not commit changes
Run Renovate locally using --platform=local
Now owned by GitHub
Tightly integrated but can run without GitHub
…broad support for languages
…is integrated in a specific platform
Offers 632 packages
Uses Renovate at scale
over 6.725 merged PRs
~9 PRs per day
90% merged after ~1min (6.050 PRs)
95% merged after ~3min (6.390 PRs)
98% merged after ~10min (6.590 PRs)
Mitigation: Custom implementation of automerge
Name changes in GitHub release asset
Found 70 times in 12 months
Detector for GitHub glitches / outages
Acts as a status page for GitHub