Conducting Real-Time Dependency Management with Renovate

Source

Today, you can’t imagine application development without the use of open-source libraries/ softwares. According to a report, out of all the codebases scanned, 98% of the code bases are using open-source software/library/component in some form or the other.

In application development, these open-source softwares are integrated in the application as dependencies. The use of open-source softwares enables using already developed components for free, saving development effort and thus costs. We all know that using open-source components has its benefits and drawbacks.

One such major drawback is constantly having to perform version control of the used library to keep the used open-source library updated and secure. This is also called dependency management.

As a security best practice, using outdated open-source components/libraries is not recommended as they almost always have open security vulnerabilities in them (A06 of OWASP Top 10). Therefore, any development team using open-source has to be on their toes to keep their software updated and secure.

Intro to Renovate #

One such great solution to help reduce such issues is Renovate. Renovate is a free tool that saves time and reduces open-source usage risk by automating the processing of open-source dependency updates in software development projects. With its easy-to-use capability and free availability, it has gained a lot of popularity amongst the developer community.

Renovate is now also endorsed by OpenSSF (Open Source Security Foundation) and Google as the industry standard tool for dependency management.

It has some great stand-out features that make it a go-to dependency management tool. It automates dependency updates by using convenient pull requests. It also sends replacement pull requests to upgrade from a deprecated version dependency to the community recommended replacement (npm packages only) by parsing package files.

Since it is free and open-source by nature, it can be installed through npm/Yarn or Docker Hub and can also be locally-hosted or used via GitHub. Thereafter, it will discover all package files in each repository. Additionally, it offers support for monorepo directory structures and supports Lerna and Yarn Workspaces with zero config. It also supports multiple programming languages/technologies such as JavaScript, Java, Ruby, PHP, Python, Go, Cargo, Elixir, Docker, etc.

Finally, with Renovate you can customize run schedules to occur on weekends, outside work hours, weekly and monthly.

These features make Renovate stand-out from its competitors as a popular choice. It is also worth mentioning that Renovate takes it up a notch by being not only a multi-language tool, but also a multi-platform tool. Platforms supported by Renovate include Gitea, Bitbucket Server, Bitbucket Cloud, GitLab (.com and CE/EE), GitHub (.com and Enterprise Server), and Azure DevOps.

Let’s try and understand more about Renovate by exploring ways to install it and use it on different popular platforms.

As a Renovate end user, there are two key possible ways you can use it.

  1. You host locally or self-host Renovate by downloading a pre-built Docker image instance.

  2. Remote host Renovate (i.e using an instance hosted by someone else), and you install/configure it for the repositories you choose. Usually, GitHub.com hosted Renovate app instances are used.

Using Hosted GitHub App #

Configuring/installing Renovate’s GitHub App is fairly simple. Below are the steps along with screenshots for installation.

  1. Navigate to their app on GitHub and Install the Renovate app in your GitHub.

  1. Once the Renovate app is installed, you need to configure whether to run Renovate on all repositories or on selected repositories.

Once you have enabled Renovate on a repository, you will get a “Configure Renovate” pull request that will look something like this.

Installing Renovate via NPM (Node Package Manager) #

You can install Renovate installable from npm using the following command. 

Note: Make sure you have npm installed in your machine and an active internet connection.

Npm i renovate

Conclusion #

The use of open-source software is highly prevalent in application development in the form of dependencies. More than 95% of codebases today use them in some form. Using open-source software makes developers’ lives easier for sure, but it also adds the overhead cost of having to constantly track, upgrade, and manage them.

We discussed how it can be a potential threat to the overall security posture of the application if dependencies are not constantly updated with their latest secure versions.

Managing and upgrading all the open-source dependencies of a project manually can be a nightmare and in that course we may miss out on some critical security upgrades, leading to critical security incidents like the 2017 Equifax hack. Thus, it is best recommended to have a sustainable approach to managing open-source dependencies.

This is where real-time dependency management solutions like Renovate come as the winners by having the capability to constantly identify and upgrade open-source dependencies in the project automatically.

I hope you managed to get a good understanding about real-time open-source dependency management through this post.

 
1
Kudos
 
1
Kudos

Now read this

4 Reasons Why You Should Switch to Kubernetes

Photo by XPS on Unsplash Kubernetes is a popular, open-source container orchestration platform that has been generating buzz in the microservice world for some time now with seemingly no other competition out there. With the backing of... Continue →