DEV Community

loading...
Snyk

Making automatic yet informed decisions when upgrading dependencies

Liran Tal
🥑 Developer Advocate @snyksec | @NodeJS Security WG | @TheSecureDev team | @jsheroes ambassador | Author of Essential Node.js Security | Let's talk! 😉 ❤️
・3 min read

Did you know that snyk has automated dependency upgrades on-top of opening security fix Pull Requests to your GitHub or Bitbucket repositories? 🎉

What is so special about Snyk in this space?

✨ we will never recommend you an upgrade for a version that introduces a new vulnerability ✨

How awesome is that?

There's a lot of powerful metadata around this capability from the snyk app and I'm going to detail all of the great things I like about it in this following post

snyk opens pr to upgrade a dependency


First off, the PR provides health information about the recommended upgrade:

✅ The recommended version is 1 version ahead of your current version

✅ The recommended version was released 8 days ago, on 2020-01-11

Here is a reference to this PR: https://github.com/lirantal/bazz-serverless-firebase/pull/13 if you wanted to take a closer look.

That kind of dependency health overview gives you more context into the freshness of the new version being proposed, as well as the risks of merging it due to possible breaking-changes.

Remember, semver is mostly semantic and there's nothing that enforces it.

Next, the pull request easily details all the release notes for this version and the commit history so you can inspect all of that from the PR page without drifting off to the dependency's own GitHub pages, etc.

snyk update PR for release notes and other metadata

If you did want to further review the actual changes from your own version of the dependency and the proposed upgrade there's a "Compare' link which takes you to the GitHub's diff page exactly for that!

snyk PR can compare released versions

You don't want to receive further automatic updates on this dependency for some reason? no worries, there's a button right there to take you to
the Snyk app settings page where you can ignore it completely.

Do you only want to subscribe to patch/minor vs major upgrades? pick which pull requests you want to get from the Snyk app settings page:

Do you feel that constantly opening pull requests to perform dependency version upgrades is adding noise and churn on your team? I agree.

In the settings page you can limit the amount of simultaneous pull requests that will be open to reduce the noise on the team

The commit message for the PR is semantic as well as details all the necessary information as to the relevant package page and the snyk project for further follow-up if necessary

Lastly, what the best thing about these automatic dependency upgrades from @snyksec ?

✨ we will never recommend you an upgrade for a version that introduces a new vulnerability ✨

The End.


Are you using any other dependency upgrade tool? what do you like about it?

I'd love to hear and discuss how we can make dependency upgrades a smoother and more informed process.

Discussion (2)

Collapse
abhinavsejpal profile image
Abhinav Sejpal

Indeed, Its brilliant feature!

Collapse
lirantal profile image
Liran Tal Author

Happy to hear you love it 🤗