Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Joker 2019: Tame your dependencies with Dependa...

Joker 2019: Tame your dependencies with Dependabot!

What is common between Maven, NPM or RPM? It is dependency hell. Continuously updating dependencies is a significant overhead. If you do not do that, any next major update might be a problem for you. It is exactly what we hit while adding Java 11 support to Jenkins. What if we delegate such routine work to a bot? In our project we chose Dependabot, and in this talk I would like to do a brief introduction to the tool.

Oleg Nenashev

October 25, 2019
Tweet

More Decks by Oleg Nenashev

Other Decks in Technology

Transcript

  1. © 2019 CloudBees, Inc. All Rights Reserved. Tame your dependencies!

    Dependabot Oleg Nenashev (@oleg_nenashev) CloudBees, Inc. St. Petersburg, Oct 25, 2019
  2. © 2019 CloudBees, Inc. All Rights Reserved. > whoami @oleg_nenashev

    oleg-nenashev • Based in Neuchatel, Switzerland • Principal SW Engineer, CloudBees • Jenkins core maintainer 2
  3. © 2019 CloudBees, Inc. All Rights Reserved. Lib 1 Lib

    2 Lib 3 Plugin 1 Plugin 2 Plugin 3 Lib 4 Lib 5 Plugin 4 6 + Tool dependencies
  4. © 2019 CloudBees, Inc. All Rights Reserved. 7 > mvn

    versions:display-updates ... ? ? ?
  5. © 2019 CloudBees, Inc. All Rights Reserved. Dependabot • CLI

    tool • SaaS and GitHub App 11 dependabot.com, acquired by GitHub
  6. 13

  7. 14

  8. © 2019 CloudBees, Inc. All Rights Reserved. Advanced options •

    Filtering of versions and artifacts • Validated merge • Integration wit GitHub security engines 23
  9. © 2019 CloudBees, Inc. All Rights Reserved. Dependabot in Jenkins

    • Evaluation started in June 2019 • Enabled in 60+ repositories • 1750+ pull requests • Saves time! 24
  10. © 2019 CloudBees, Inc. All Rights Reserved. Contacts: E-mail: [email protected]

    GitHub: oleg-nenashev Twitter: @oleg_nenashev QUESTIONS? 25