DEV Community


Posted on

Understanding Auto-Merge in Dependency Management Tools

Cover image

Photo by Philipp Katzenberger on Unsplash

Every day, a large number of applications are deployed by developers. These applications may be developed using a content management system (CMS) or from scratch. Still, the majority of them use dependencies in the form of open-source materials to improve the application's functionality or save time by avoiding repetitive code.

For example, for user tracking applications,  developers may choose to employ a dependency that leverages predefined attributes and can be implemented simply without writing new code. The software would hypothetically use that dependency to generate various file formats, such as converting or generating a pdf file from a specified format.

Dependencies are typically derived from third parties rather than created within the company. The majority of these dependencies are open source, which means that other developers can examine them and utilise them however they see fit. However, because of their open-source nature, it is possible to find security weaknesses in them -- they may be outdated, or the developer who created the open-source project may not have plugged every loophole. Even a singular severe vulnerability in a dependency can make the final application vulnerable. An RCE, for example, was discovered in the open-source logging library of Java, causing the entire internet to tremble.

Because of this, it is critical that these dependencies be checked for security vulnerabilities on a regular basis, and if any vulnerabilities are discovered, a patch must be issued to mitigate the risks associated with them.

What is Auto-Merge in Dependency Management?

Screenshot of allowing auto-merge


Most code hosting platforms, such as GitLab and GitHub, offer users an "auto-merge" feature. Enabling auto-merge means that your pull request will automatically merge once all relevant reviews and status checks have been completed. Auto-merge eliminates the need to sit around and wait for prerequisites to be met, allowing you to go on to other tasks. It can be valuable when someone finds a vulnerable dependency and needs to patch it as soon as possible.

Inadequately patching insecure dependencies threatens the overall security of an application, as hackers may exploit the unpatched vulnerabilities to compromise the application or even an entire organization's architecture. Most organizations use a manual approach to assess dependencies; however, manually evaluating and merging such updates can be highly time-consuming and impact other resources. It is now possible to automate the updating of dependencies.

Numerous organizations use several dependencies in their projects, and they cannot keep track of every update that is made available for each of those dependencies. As a result, specific dependencies may contain substantial weaknesses and are neglected.

When we talk about tools, they provide an automatic way for auto merging the vulnerable dependencies with the new updated ones, which in the vast majority of situations fixes the previously present vulnerabilities in the dependent libraries. As a result, they ought to be taken into consideration as well. Furthermore, they can prevent teams from becoming subject to critical problems since they typically alert them in time to fix the vulnerabilities or update the vulnerable dependencies that are being used.

Several tools also permit auto-merge for dependency management. This article will briefly discuss three: WhiteSource Renovate, Dependabot, and Doppins.

WhiteSource Renovate is a free tool developers can use to update dependencies in real-time. When a dependency is susceptible, Renovate can be triggered automatically to build a new pull request with the necessary details about the update and vulnerability it fixes. This tool offers developers accurate information about the vulnerable dependency and contextually visible pull requests for third-party vulnerabilities in real-time.

It also can auto-merge the request, which resolves any vulnerabilities that may exist in the dependencies, making it one of the best-in-class solutions for managing dependencies in the market. In addition, it provides certain additional advantages, such as vulnerability detection through the scanning of public and private repositories.

Renovate screenshot

Dependabot is a GitHub native tool that also searches through dependencies in an application for updated versions; if there are new versions, it will typically show or open a new pull request. In that case, we can enable auto-merge, but it will necessitate a significant amount of configuration effort because we will need to add a couple of files and much more, which is not straightforward. In addition, it will only conduct dependency scanning and will not perform vulnerability scans.

Dependabot screenshot

Finally, Doppins is another option for managing dependencies. Doppins automatically upgrades your dependencies by submitting pull requests to the GitHub repository. It can be enabled on a project with simply a few clicks, as you only need to log in once, after which it will be allowed as an app with no need for any other settings. As soon as it is activated, it will scan all of the dependencies used in the project and give you essential information on the status of your dependencies promptly. In addition, it generates informative pull requests that include the changelog of the released version, if one is available, and commit messages that are delivered on time.

Doppins screenshot


Dependencies are becoming a source of concern because they are being used in many projects. Because of the large number of dependencies, not every company can keep track of all of them. Threat actors are exploiting a large number of high severity vulnerabilities that have been discovered in those dependencies to acquire access to various organizations, their source code, and a variety of other things. As a result, auto-merge can be a lifesaver because it will save time while protecting the company from potential vulnerabilities. Hence it is always recommended to have a dependency-updating tool with the auto-merge within the organization.

Discussion (0)