Automated dependency updates

Editor's Notes

• #3: Work in progress, to present externally at local user groups Find me on Twitter
• #4: Who has heard of Equifax? If I asked that in 2016, how many people would have said yes? For all the wrong reasons
• #5: This is what everyone knows Equifax for nowadays Not what they want you to know them for I’m sure many of you know that the hack was due to an vulnerability in Apache Struts
• #6: The patch for Apache Struts was available 2 months before Equifax was hacked If they had the proper processes in place, would they be as widely known as they are today
• #7: After hearing that, you might think “We’ve got good processes. We keep our dependencies up to date” Sure, that might be true. But software developers are lazy. Bill Gates said “I will always choose a lazy person to do a difficult job because a lazy person will find an easy way to do it” No matter how how streamlined your method, it still takes time, and all that time adds up
• #8: On top of that We rely on a lot of dependencies nowadays. Not just directly, but indirectly too. Node modules contains your dependencies, and the dependencies of your dependencies. All of those can have updates, and security vulnerabilities I’m picking on Javascript here, but the other languages aren’t innocent either
• #9: It might be possible for direct dependencies, but it’s impossible to maintain indirect dependencies
• #10: Event stream is a popular npm package Its maintainer handed over access to a malicious 3rd party Unknown to the maintainer
• #11: The malicious 3rd party added code to steal bitcoin wallets Automating dependency updates doesn’t solve this problem Neither does doing it manually
• #12: The number of vulnerabilities discovered each year is growing Even if you don’t directly depend on a vulnerable package You might indirectly, and not even know it
• #13: The next question is how can you automate dependency updates?
• #14: Introducing Renovate Full disclosure: I’m a maintainer of the project Renovate saves you time and reduces risk in software projects by automating the tedious process of updating dependencies. Behaviour is fully customisable so there is a setting to suit everybody.