Do you know if all your repositories have up-to-date dependencies?
Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.
Do you know if all your repositories have up-to-date dependencies?
Keeping your repositories’ dependencies up to date is crucial for maintaining quality and security. Outdated dependencies can expose your project to vulnerabilities, compromise its stability, and hinder its overall performance. In order to answer this question for ourselves, we created a GitHub Action: Evergreen.
The challenge of dependency management
With new versions of libraries, frameworks, and packages being released regularly, developers are faced with the constant challenge of ensuring their projects use the latest and most secure dependencies. Manual updates can be time-consuming and error-prone, and tracking every dependency across all repositories is a daunting task.
Dependabot: Automating dependency updates
Dependabot version updates automate the process of updating dependencies by creating pull requests for new versions. Not to be confused with the more security focused variants of Dependabot in “Dependabot alerts” and “Dependabot security updates”, Dependabot version updates target any outdated dependencies instead of waiting for vulnerabilities. This alleviates the burden on developers and ensures that projects are using the latest and safest versions of their dependencies.
The Dependabot dilemma
While Dependabot version updates automates the task of updating dependencies, it is configured using a YAML file in every repository. This can make it difficult for administrators to centrally deploy it and can lead to inconsistent dependency management across projects.
Introducing Evergreen
Inside GitHub, our Open Source Program Office (OSPO) wanted to make it easy to deploy Dependabot version updates throughout our own organizations. To achieve this, we built a GitHub Action called Evergreen. Evergreen acts as a dependency management assistant for your teams, ensuring that Dependabot version updates are enabled and configured consistently across all your repositories.
[Small aside]With Evergreen, GitHub identified hundreds of our own private repositories to enable Dependabot on, and we’ll continue to run updates so we can confidently keep our repositories up to date.[Small aside]
How Evergreen works
Once the GitHub Action triggers, it checks whether Dependabot version updates is enabled for all repositories in your organization. If not, Evergreen takes care of enabling Dependabot version updates, configuring it for you, and opening pull requests with the changes for your review.
- Triggering Evergreen: You can set up Evergreen like any other GitHub Action to run on a schedule or trigger it manually to enforce consistent dependency management. Check out the GitHub Docs on triggering a workflow for more information.
-
Dependency check: Evergreen checks whether Dependabot version updates is configured for the repository.
-
Enabling Dependabot: If Dependabot is not configured, Evergreen takes care of it by automatically setting it up, and opening a pull request for you to review the configuration.
Conclusion
Keeping dependencies up to date is a non-negotiable aspect of ensuring the quality and security of your projects. Dependabot has made this task significantly easier, but it’s also equally as important to ensure consistent implementation across all repositories. Evergreen automates the process of enabling and configuring it for every repository. Ensure your dependencies are evergreen! Check out the repository for more information.
Tags:
Written by
Related posts
How GitHub gave every repository a durable owner
GitHub had over 14,000 repositories. Fewer than half had clear ownership. Here’s how we gave every active repository a validated owner in under 45 days, archived the rest, and made ownership the foundation for everything that followed.
How GitHub used secret scanning to reach inbox zero
GitHub had 20,000+ secret scanning alerts across 15,000 repositories. Here’s how we separated signal from noise, built remediation workflows, and reached inbox zero in nine months.
6 security settings every GitHub maintainer should enable this week
These six free settings will not make your project unhackable. Nothing will. What they will do is close the easy doors. Turn these on, and your project will be meaningfully harder to attack than it was before.