If Log4Shell, Spring4Shell, etc. have taught us anything, it's that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?
@MaritvanDijk77 Selecting dependencies • Does it solve your problem? • Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented?
@MaritvanDijk77 Selecting dependencies • Does it solve your problem? • Is it well maintained? • Is it popular? What is the community like? • Is it easy use? Is it well documented? • Is it stable & secure?
Dependency information @MaritvanDijk77 https://mvnrepository.com/ Link to https://cve.mitre.org/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
Renovate configuration • All repos or selected repos • Config file is created for you • Limit concurrent branches / PRs, hourly limit • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/
Snyk Open Source Configuration • Frequency (daily, weekly, never) • Enable/disable: New and/or known vulnerabilities • Enable/disable PRs for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics
OpenRewrite • Source code refactoring for framework migrations, vulnerability patches, and API migrations with an early focus on the Java language • Maven & Gradle • Existing recipes (e.g. Java 8 -> 11, JUnit 4 -> 5) • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/