We (Java programmers) recently had to face 3 majors issues :
In the mean time teams have an ever growing set of projects to manage.
⚠️ While you often rely on public dependencies, you also can rely on your own private ones... which can themsleves depend on public ones and then present security flaws.
👆 In both cases, dependency management has to be performed at scale on your pipeline from build to deployment... as fast as possible... and on all your code.
Sometimes, you just need to be aware that some of your dependencies are not up-to-date, for example to get new features.
In both cases :
You don't have time to spend to monitor your favorite dependencies for each of your projects : you'd rather see someone else do the job.
Yet, when it's about security...
The job has to be done as fast as possible at scale... and without breaking existing software so the fix can be deployed as fast as possible.
This is what this post is about.
It will show how we achieve this as part of the CI with Dependabot :