The blog aims to explore the topic of updating Open Source Library dependencies. Goals are to speed up fixing dependencies with vulnerabilities. And secondary to keep dependencies up to date. By that we can improve productivity, reduce toil and improve security.
Open Source got a lot of traction in the last years and many system heavily rely on Open Source. At the same time the security practice has a lot of potential for improvement. According to the OSSRA report 81% of the analyzed codebases contained at least one vulnerability. Unless teams have good practices for updating Open Source dependencies, vulnerabilities pile up, the component breaks or becomes vulnerable to a high-risk exploit, and then the scramble to update is on (e.g. which is what occurred with Log4Shell).
Fortunately there are some tools for the job available to help the teams in keeping dependencies up to date.
Dependabot
GitHub markets all of its dependency management under the broad term “Dependabot”, including:
- Dependency Graph: What dependencies and licenses does my project have.
- Dependabot Alerts: Which of my dependencies have known vulnerabilities?
- Dependabot Updates: Create Pull Requests for updates for dependencies to either the newest version or to provide security updates.
For this blog, we will focus on the last topic “Dependabot Updates”. For Open Source projects Dependabot comes for free.
Renovate
Renovate only refers to the single open-source project providing dependency updates. It isn’t intended to provide functionality beyond that, like Dependency Graph and Dependency Alerts does. Whitesource Renovate uses the GNU AGPL license.
| Category | Dependabot Updates | Renovate |
|---|---|---|
| Provided by | GitHub (built-in feature); parts are open-source | Open-Source project by Mend |
| Supported technologies | Docker, NPM, Maven, PIP, many more | Docker, NPM, Maven, PIP, many more |
Functionality-wise, Dependabot Updates and Renovate are very similar. Renovate offers more customization, which might be helpful for some teams.
The recommendation is to pick one, which fits best for your project or company. E.g. if you develop a Open Source project, Dependabot and Renovate already comes for free. For internal GitHub instances, you can use GitHub Enterprise Security or Renovate.
Related Practices
For the adoption of the tool having good engineering practices are important:
- Review of PRs on Time: Adopting one of the tools should include reviewing and merging the PRs on time. This will reduce the burden on the CD infrastructure and improve security by closing vulnerabilities quickly.
- Confidence in Test Automation Suite: Updating dependencies can come with a small risk of regressions. So it is highly recommended to execute your automated tests and ensure the confidence in your automated test suite.
Call for Action
The impact of security vulnerabilities gets continuously higher. Therefore, it is important to adopt such tools and let your colleagues know about it.
Subscribe to Newsletter:
If you do not miss an update on clean code, test automation, communities of practice, decision making, testability and other engineering / craftsmanship / architecture topics, subscribe to the brand new newsletter. The newsletter will not only be used for sharing knowledge, but also offer opportunities for collaboration, building communities and co-creation.
