The blog aims to explore the topic of updating Open Source Library dependencies. Goals are to speed up fixing dependencies with vulnerabilities. And secondary to keep dependencies up to date. By that we can improve productivity, reduce toil and improve security.
Open Source got a lot of traction in the last years and many system heavily rely on Open Source. At the same time the security practice has a lot of potential for improvement. According to the OSSRA report 81% of the analyzed codebases contained at least one vulnerability. Unless teams have good practices for updating Open Source dependencies, vulnerabilities pile up, the component breaks or becomes vulnerable to a high-risk exploit, and then the scramble to update is on (e.g. which is what occurred with Log4Shell).
Fortunately there are some tools for the job available to help the teams in keeping dependencies up to date.
GitHub markets all of its dependency management under the broad term "Dependabot", including:
For this blog, we will focus on the last topic "Dependabot Updates". For Open Source projects Dependabot comes for free.
Renovate only refers to the single open-source project providing dependency updates. It isn't intended to provide functionality beyond that, like Dependency Graph and Dependency Alerts does. Whitesource Renovate uses the GNU AGPL license.
Category | Dependabot Updates | Renovate |
---|---|---|
Provided by | GitHub (built-in feature); parts are open-source | Open-Source project by Mend |
Supported technologies | Docker, NPM, Maven, PIP, many more | Docker, NPM, Maven, PIP, many more |
Functionality-wise, Dependabot Updates and Renovate are very similar. Renovate offers more customization, which might be helpful for some teams.
The recommendation is to pick one, which fits best for your project or company. E.g. if you develop a Open Source project, Dependabot and Renovate already comes for free. For internal GitHub instances, you can use GitHub Enterprise Security or Renovate.
For the adoption of the tool having good engineering practices are important:
The impact of security vulnerabilities gets continuously higher. Therefore, it is important to adopt such tools and let your colleagues know about it.
If you do not miss an update on clean code, test automation, communities of practice, decision making, testability and other engineering / craftsmanship / architecture topics, subscribe to the brand new newsletter. The newsletter will not only be used for sharing knowledge, but also offer opportunities for collaboration, building communities and co-creation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.