Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Keep your dependencies in check (FOSDEM)

Keep your dependencies in check (FOSDEM)

If Log4Shell, Spring4Shell, etc. have taught us anything, it’s that we need to keep our dependencies up to date. But updating our applications can take a lot of time. How do we stay on top of that, while also continuing to deliver business value?

Luckily, there are plenty of tools that can help us with this, from package managers to bots that can automatically create changes on our repositories. Let’s go over some of the different options, so we can make informed choices about what’s best for us in a particular situation.

Marit van Dijk

February 05, 2023
Tweet

More Decks by Marit van Dijk

Other Decks in Programming

Transcript

  1. Keep your dependencies in check FOSDEM - February 5th, 2023

    https://maritvandijk.com/ @MaritvanDijk77
  2. Gradle • Add plugin, e.g. gradle-versions-plugin • Run `./gradlew dependencyUpdates`

    @MaritvanDijk77 https://github.com/ben-manes/gradle-versions-plugin
  3. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) @MaritvanDijk77

    https://www.jetbrains.com/help/idea/package-search.html
  4. IntelliJ IDEA • Intention actions (⌥ ⏎ or Alt+Enter) @MaritvanDijk77

    https://www.jetbrains.com/help/idea/package-search.html
  5. SCA: Pros & Cons + No need to check out

    repos individually - I have to check the dashboard - Apply & verify updates @MaritvanDijk77
  6. Dependabot • GitHub native • Features: • Alerts • Security

    updates • Version updates @MaritvanDijk77
  7. Dependabot version updates • Add dependabot.yml (impacts security updates) •

    Package manager & directory manifest file • Frequency (daily, weekly, or monthly) • Schedule (date, time, timezone) • Max. number of PR's (default 5) • Some details to manage PR's @MaritvanDijk77 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
  8. Renovate • Available via GitHub App • Features: • Security

    updates • Version updates • Project dashboard • Job dashboard @MaritvanDijk77
  9. Renovate configuration • All repos or selected repos • Config

    file is created for you • Max. number of PR's / concurrent branches • More options • More fine-grained @MaritvanDijk77 https://docs.renovatebot.com/configuration-options/
  10. Snyk Open Source • Available via Snyk • Features: •

    Security updates • Version updates • Test for new vulnerabilities (on PRs) • Test for vulnerabilities in source code • Dashboards @MaritvanDijk77 https://snyk.io/
  11. Snyk Open Source Configuration • Frequency (daily, weekly, never) •

    Enable/disable: New and/or known vulnerabilities • Enable/disable PR's for single project @MaritvanDijk77 https://docs.snyk.io/products/snyk-open-source/open-source-basics
  12. Bots: Pros & Cons + Relatively easy to install +

    Automatic PR's - Can create "noise" - Manage PRs (merge & deploy) - No code changes (if needed) @MaritvanDijk77
  13. Error Prone • Static analysis tool for Java that catches

    common programming mistakes at compile-time. • Maven, Gradle, etc. • IntelliJ IDEA / Eclipse plugin, Command line • Bug patterns • Report or fix • Custom checks • Includes Refaster: refactor code using before-and-after templates @MaritvanDijk77 https://errorprone.info/
  14. OpenRewrite • Source code refactoring for framework migrations, vulnerability patches,

    and API migrations • Early focus on Java • Maven & Gradle • Existing recipes • Can author recipes @MaritvanDijk77 https://docs.openrewrite.org/