loading...

Tools To Keep Your JavaScript Dependencies Updated

mrsaeeddev profile image Saeed Ahmad ・4 min read

As a developer, you might have faced a situation where you got some unknown error in the same codebase that was working fine for you yesterday.

Update

Woosh…

You spent countless hours debugging the code, saying to yourself that this is the same code that worked fine before. Then what’s wrong with it?

Oh. You realize it was some dependency that got a new version due to which the code broke.

There are other problems too if you are using outdated packages or libraries. One of them is the security problems with the outdated dependencies.

In 2019, researchers found serious security vulnerabilities in the lodash — a common JavaScript utility used for simplifying the handling and edition of objects, arrangements, etc. On GitHub alone, Lodash has been added to 4.35 million repositories. It has around 4.45k stars and 5k forks. The library has 2.5 million weekly downloads on npm. Before that, they reported the same vulnerability in jQuery— a popular JavaScript library.

WhiteSource included the lodash vulnerability in their list of top open source vulnerabilities for the year 2019 and their official blog commented on lodash vulnerability: “This prototype pollution vulnerability was discovered in a few of the functions in the Lodash node module. Specifically, merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype.”

Dependency Update Tools

This is where dependency update tools come in, to make your life easier.

What Dependency Update Tools do is that they automatically notify you when an update of any dependency that has been outdated is available. Then you have the option to update that specific dependency to the new version if it involves something critical or you can delay it.

Some tools also offer automatic updates, so you can set some dependencies to be updated automatically whenever a new version is available.

As you know, JavaScript is the ‘de-facto’ language for the web nowadays, so let’s discuss some common JavaScript Dependency Update tools.

1. WhiteSource Renovate

WhiteSource Renovate

WhiteSource Renovate is a free dependency update solution by WhiteSource Software. It supports all major programming languages.

It helps save your time and effort by resolving outdated dependencies automatically so that you can easily integrate these changes into your DevOps workflow. So far, the Renovate App has created more than 1M+ PRs since its inception, on GitHub.

With its easy and seamless configurations, Renovate has emerged as a tool that suits everyone from individuals maintaining free and open-source side projects right up to large development teams such as Automattic’s WordPress Calypso or Google’s Angular teams.

Google’s Angular or Renovate has recently joined the WhiteSource family and the main point is that it’s open-source and totally free. Alongside this, they have removed all subscription plans and fees. So, if you are a FOSS lover then you definitely need to give Renovate a try!

2. Dependabot

Dependabot

Dependabot is an automatic dependency update tool built-in into GitHub. It provides support for your Ruby, Python, JavaScript, PHP, .NET, Go, Elixir, Rust, Java, and Elm code.

After GitHub acquired Dependabot, they have made it free even for private repositories. Installation is quite simple, so you can easily add it to your GitHub repository. Another great point where Dependabot really shines is that it can automatically detect what dependency management system and language you are using.

What Dependabot does is that it automatically opens a pull request to notify you of any updates in a dependency or package, in case a new version has been released. Now, on your end, you need to check whether your tests pass or not, scan the release notes, and include changelog. Finally, you can merge it if there’s a critical fix in the new version or you may skip the new version depending on your use-case.

3. Deps

Deps

Deps is a dependency updating command-line tool that can be run in CI to automate all of your dependency related updates. They have recently released v3. Also, they have joined Dropseed.

A great advantage of using Deps is that it automatically creates branches, commits changes, and then sends pull requests that you can merge.

Since Deps runs in your existing CI/CD environment, it doesn’t need any extra configuration and you are good to go with the setup you've already done. It also makes it easy for you to support dependencies and run your custom commands to ensure you get automatic updates that help your team truly.

Deps has a basic free plan and paid subscription plans too. So, you can look into which plan suits your requirements and the needs of your project.

4. Depfu

Depfu

Depfu is another dependency update tool with built-in support for Ruby, JavaScript, and Elixir.

The main advantage of Depfu is that it lets you choose the repositories you want Depfu to monitor any updates in its dependencies, through a UI based setup flow.

Also, you don’t need to tweak any settings in GitLab or GitHub manually or add any files to your repo. Everything is automatic. All communication between the tool and repositories happens via the API. It does not clone your repository at all or add any junk files to it.

Conclusion

If you want your code to be fool-proof and secure which every developer does, then you should use one of the dependency update tools which fulfills your requirements. Nearly all of them offer integration with code hosting services like GitHub, GitLab, BitBucket, etc. So, you can easily use them for automatic dependency updates. If you are looking for a comprehensive free tool, then WhiteSource Renovate may be a good choice for you otherwise you can try other tools too.

Thank you for reading and good luck with your dependency updating journey!

Posted on by:

mrsaeeddev profile

Saeed Ahmad

@mrsaeeddev

🚀 I help developers to be better Engineers! 💻 Software Engineer | 📈 Data Science | 💼 Entrepreneurship | 🧠 AI | 🖋️ Writer at DEV with 250K+ views

Discussion

markdown guide