opensource security

Simplifying your package management and security

Keeping your code up to date with the latest packages and security fixes can be a chore and something easily overlooked...

Shaun Wilde
a brass lock resting on a keyboard

Every day seems to come with more package updates and security fixes and though I, like most I feel, tend to ignore them for personal projects, I do tend to keep an eye on those projects that are actively hosted/published eg my blog.

But how do you stop it becoming a full time job? I used to heavily rely on Github's dependabot but I was getting messages for upgrading almost daily; never mind the regular security patches and evaluating if they actually impacted my site.

I then came across Renovate by Mend (was Whitespace) and realised that this was the path to take if I wanted to get some balance to my life. Setup was simple and I can control which projects renovate was allowed to manage. Once connected, Renovate will create a PR which tells you what it intends to do

a list of actions provided by renovate

Once accepted, Renovate will then create a simple dashboard within your repository

a simple dashboard to manage renovate

Now the best bit of renovate, the configuration to save you time. If you have plenty of tests and are happy to release if your build+tests pass then you can automate the package management to merge them straight in. You can group like packages together that always update around the same time eg jest or eslint, and for noisy packages, I am looking at you aws-sdk, that seem to update almost daily you can schedule/limit them to just once a week.

I am still not 100% all-in on full automation but I have decided to allow minor-like patches on my devDependancies to be fully automated

{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
...
"packageRules": [
...,
{
"matchUpdateTypes": ["minor", "patch", "pin", "digest"],
"matchPackagePatterns": ["*"],
"matchDepTypes": ["devDependencies"],
"automerge": true,
"automergeType": "branch"
}
]
}

Now all I need to do is manage the major updates and check on packages that make up the production deliverables.

Extending renovate

Unlike dependabot, Renovate supports a lot more tools, eg Docker, BuildKite, ... to name but a few and will also accept extensions from contributors. You may have noticed the .tool-versions (asdf) extension in the above images, I am glad to say that I was involved in writing that extension and though it only supports nodejs for now it should be easy for others to extend for their asdf managed tooling should they need to; I may update it myself but I only intend to do so for tools I need.

Security alerts

Though Mend does have a security module it is not something as a home developer I could afford so I still use dependabot to provide security alerts but as I am more on top of package updates I have found these happening less frequently.

Your feedback, as always, is appreciated.

Photo by FLY:D on Unsplash