DCX Technology RadarDCX Technology Radar

Dependency Update Scan

securityci/cd
This item was not updated in last three versions of the Radar. Should it have appeared in one of the more recent editions, there is a good chance it remains pertinent. However, if the item dates back further, its relevance may have diminished and our current evaluation could vary. Regrettably, our capacity to consistently revisit items from past Radar editions is limited.
Adopt

Tools for automated dependency updates continue to offer a big productivity gain when integrated well into the build workflow.

Nonetheless, this comes not without a word of warning. While it's great in theory, constant updates might quickly lead to a bombardment of merge requests. It is crucial that the chosen tools work reliably and are really well integrated. Otherwise, this might become overwhelming for teams. As an alternative, we also had good experience with disabling automatic merge requests and just manually triggering a job when we wanted to take care of the updates.

Trial

Tools for automated dependency updates continue to offer a big productivity gain when integrated well into the build workflow.

Nonetheless, this comes not without a word of warning. While it's great in theory, constant updates might quickly lead to a bombardment of merge requests. It is crucial that the chosen tools work reliably and are really well integrated. Otherwise, this might become overwhelming for teams. As an alternative, we also had good experience with disabled automatic merge requests and just manually triggered a job when we wanted to take care of the updates.

Assess

Automated dependency scans are useful to remove the manual task of regularly checking for version updates. Our teams are utilizing the Open Source bots Renovate and Scala Steward, both of which are running as a scheduled GitLab job in our internal infrastructure. The bots are regularly creating merge requests with dependency version updates against our projects.

Having this automated comes with a few advantages:

  • Important dependency updates are available very shortly after they have been published (e.g. for security issues)
  • Changelogs are referenced in the merge requests, making it easy to review if the update is relevant
  • An automatically triggered pipeline is running our test suites, giving us a high confidence that the version update is non-breaking if the pipeline was successful
  • Regular small updates are easier to maintain than bulk updates of many libraries at once, reducing the risk of introducing compatibility breaking changes

Automated merge requests allow us to focus on reviewing, testing and prioritization of dependency version updates with considerably less effort.