# Dependency Management and Automation with Renovate ![](https://lh5.googleusercontent.com/Bf4hVTkrym-7pWLoYC6VgxbTx82g5uFozedK2r-2_9AnVgs7978rD_qNLLJlAd4E0DNmWVR3NwhPj7RySuxwaeUnQ6z9dckgYJ9zUCpOtmeZiS-8ulXcnyZc2mF_WoineWL27S5nN-3lE9oNUQ) [Photo](https://unsplash.com/photos/ndN00KmbJ1c) by[ Adam Kool](https://unsplash.com/@adamkool?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText) on Unsplash During the project planning phase, one usually lists all the functional and non-functional requirements along with other parameters. If your application is going to handle a range of different tasks, it is often preferred to use dependencies that serve the purpose and fine-tune them as per your requirements. For instance, consider you're building a coding platform. So what are the components that make up a code editor? (Note that we are talking about the layout and the frontend functioning only, and not considering the complete infrastructure.) The minimum requirements to build a coding platform are as follows: - Code editor - Preview/output window - File structure When building components that can resize panes or render the code editor, it is better to use external dependencies instead of re-inventing the wheel. For example, the editor [Monaco](https://microsoft.github.io/monaco-editor/) can be used to render the code editor instead of you writing our own editor, which becomes a lot more complex and unnecessarily increases the codebase. ![](https://lh4.googleusercontent.com/y4dWlLrhaJQNZ_lXs-uNAzn4cmY0Vp-Bh_wA6RkAEFYXW4d57p4dkf6Xm5Uamozi3Jlve2Ops5XbaeVk9UYrzPteGxhoYCjc3n6WLNbYuFTyLkUmhEu31yb-a5lE0vGCCEgN9Hq9HCHkTMP05Xs5NeI) ## Dependency Management Dependencies undoubtedly make your code less verbose and improve the development speed. However, one downside to this is the management. Just like any application or software, libraries and modules are continuously updated. These updates add new features and fix the bugs and security flaws of previous releases. What if there is a solution to the the problem of dependency management and automation? ## What is Renovate? [Renovate](https://github.com/marketplace/renovate) is a free open-source utility that automates dependency updates. You don't have to manually track updates anymore---Renovate keeps a look out for them and automatically updates stale and obsolete dependencies. It's completely free to use and set up. ![](https://lh6.googleusercontent.com/Qpxnyb7SRskUed4YSOxhI_U2yqeaCU09jlQIpjCvVppkp2VnwSD9tiAAKURc4wgTn0_wc_hyGS5cb6ACPNjRCNnYyzpGIV_JVmOKioj_f3J2wj9njgXa6xTPxNwnIAjQFB6gVEluwf_lPTprTP8) Without Renovate, it is likely that the number and impact of security vulnerabilities in your software applications will increase. The likelihood of unfixed problems also increases. Renovate allows you to keep dependencies up to date in an automated and efficient manner, allowing you to integrate this process into any [DevOps workflow](https://www.javatpoint.com/devops-workflow-and-principles#:~:text=DevOps%20workflow%20provides%20a%20visual,top%20requested%20by%20the%20users.). In order to understand how this works and incorporate the same into your projects, let us quickly run through the integration process and usage. ### Configuration Follow the above link to Renovate's page on the GitHub Marketplace, scroll down to the bottom, and click the 'Install it for free' button. Next, select the repositories where you'd want to enable auto dependency updates or update alerts. There is no limit on how many repositories you can select as the default option is to select all the repos. It opens an onboarding pull request to all the selected repositories after the installation is finished. The onboarding pull request should look something like this: ![](https://lh4.googleusercontent.com/5OTVYIybyIfyj4IwM5GNp-L-CAm10DMoK04jvx9AiR7gTya71umEbluzTrn0O5ot1qJY9P8LYVaiRBEwKRnXWRlMciyc3pEA-y_ItnQx4apLleZ_lZlyw956i9HoKHjnjogq0kja3PKCQ5joTg) Make sure to read through the summary before you merge the pull request. After you merge it, renovate.json will be added to the project with the following default configuration: ``` {    "extends":[       "config:base"    ] } ``` This is like a ruleset that determines the behavior of the tool on the repository. The tool starts looking for outdated/stale dependencies soon after this file is added. A pull request is raised for every update available. ![](https://lh3.googleusercontent.com/5OEk0jMRlSLbK2xo7e0uvRUBdw0pnXzEzCXXca2WuUMwQE5mkdwfvBx0zprntotUsgN-IXJAfHBu9BzMoCLGlJKIX7wNkkXIj5SxVQ44FxgLsFhxt93UoWMBStcobtRqBHUdNg-4jxhXEwjDBg) ![](https://lh6.googleusercontent.com/jZ-RnJZ0Q0_rKWLRkLCUJpOi20XI5RC9B-hibUQ1Rn8lqNPZdS7KeUxiVH5rTSmtmJj-AfvjeE1Bq0xSTCvJiHeguRzUZVyC9i_d-w4J6ibqMQBnjLBMnlCvJYi18Wn9PCPVyrD6HhCtnZ_nlA) Another added advantage is that each pull request includes release notes from the author that showcases the changes/additions made in the update. To further ease the process, you can also update the ruleset to auto-merge the pull request whenever there is an update available. You may do so by adding the following code: ``` "packageRules":[    {      "updateTypes:["minor","patch"],      "automerge":true    }  ] ``` The Renovate bot merges dependencies and updates automatically. It, however, does not distinguish between major, minor, and patch updates. You can pass the types of updates that can be automerged. Typically, it is a [good practice](https://emmenko.org/notes/how-confident-are-you-in-merging-dependency-updates/) to avoid automerging major updates. As major updates are only issued once in a while, it is always good to manually review them before approving the pull request. Although it is recommended, there is no hard and fast rule that all the packages should be immediately updated to the latest version as soon as they're available. Sometimes, doing this might cause a version mismatch between inter-dependent packages or function improperly, giving undesired outputs. To ensure that this doesn't happen, one must test the update and assert if it is causing any issue or not. If it fits well with other packages and components, you can proceed with adding the change. This can be confirmed by establishing a workflow. All updates, including minor and patch updates, should ideally be checked using this procedure. This may be done automatically anytime a new pull request is created using a [GitHub action](https://github.com/features/actions?utm_source=google&utm_medium=ppc&utm_campaign=2022q3-adv-WW-Google_Search-eg_brand&scid=7013o000002CdxYAAS&gclid=Cj0KCQjw1tGUBhDXARIsAIJx01l47ZnmOBU6Vtu94ACEy0Q7y8ji8i65sU4yF8tGjcC8b1Ke0UvRysMaAjkOEALw_wcB). This is also suitable for our needs, as Renovate generates a pull request every time an update is detected. This action takes into account the modifications made in the pull request and runs the workflow for it. The pull request is safely merged if the workflow test passes with auto-merge set to true, guaranteeing that the modification does not cause any issues. This way you can set up a completely automated workflow that automatically finds new updates using Renovate and merges those that don't break the existing code using GitHub workflow. Currently, Renovate can be used via CLI or GitHub. So, if you're using other remote repository platforms, make sure to check the docs. ## Conclusion Over time all dependency versions become obsolete. So, it is important to update them regularly. Updates also bring feature additions, bug fixes, and security. As looking for updates and manually updating them can be quite a task, tools like Renovate come in handy. Using Renovate in combination with an automated workflow boosts the integration pipeline and makes dependency management a breeze.
Last changed by  
Steven Melanson
91

Read more

Introduction to Front End Testing Automation

<span>Photo by <a href="https://unsplash.com/@cgower?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Christopher Gower</a> on <a href="https://unsplash.com/s/photos/testing?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span> Introduction Many people in the IT industry do not usually think from an end-users' perspective when they come up with something new. Obviously, with the domain knowledge that they have got, sometimes it gets challenging to train users, make them understand metaphors, and, more importantly, change their point-of-view. All of this is occurring due to an increasingly day-by-day difference in opinions between developers and users. For that reason, testing bridges the gap between them and provides successful implementation and deployment of a product. This article will specifically focus on User-Interface Testing and how it impacts the overall delivery of an application. Front-End Testing

7/28/2023
Adopting Zero Trust for Kubernetes

A lot of things have changed as a result of the COVID 19 Pandemic. Due to it, the IT business has had to move at a very quick rate, and now it is common for people to work from home. Now, more than ever before, businesses are working to put into place a variety of security policies and procedures that will ensure the complete safety of their organization's assets. A strategy approach in cybersecurity known as "Zero Trust" protects a business by removing all forms of implicit confidence and continuously validating each stage of a digital connection. This method is designed to keep hackers out. To put it another way, the idea behind this is that you should never believe anything without first checking it out: "Never Trust Always Verify." Utilizing robust authentication and authorization procedures at each level enables the organization to safeguard modern and evolving environments while also facilitating digital transformation. This is one of zero trust's primary purposes. It protects the network in multiple ways, including by segmenting the network, blocking lateral movement, offering Layer 7 threat prevention, and simplifying granular "least access" regulations. Traditional security models that are used today are based on the antiquated assumption that everything contained within an organization's network ought to be implicitly trusted. Because of this implicit trust, once users are connected to the network, they have complete freedom to move laterally and access or exfiltrate critical data. There are no granular security measures to prevent them from doing so. The flaws discovered in this system led to the development of the Zero Trust model. Is the Zero Trust Architecture Really Necessary?

10/26/2022
Optimizing Developer Productivity Within Your Team

Photo by Carl Heyerdahl on Unsplash Building and shipping a scalable application includes the sweat & tears of multiple teams. However, the core engineering work boils down to a bunch of developers. The product needs to be built well before it is marketed. So, the foremost factor in building a great product is by bringing the best out of the developers. While user experience (UX) has been the buzz of the tech world for quite some time now, developer experience is the new talk of the town. The productivity of developers is always directly related to building a performant and efficient piece of software. Improving Developer Productivity with Developer Experience Putting it in an abstract manner, everything that removes the verbosity in the development cycle directly or indirectly contributes to the betterment of productivity.

5/23/2022
How to Keep a Kubernetes Pod Secure

Photo by Arnold Francisca on Unsplash Kubernetes security has come a long way since the start of the project. Started by Google in 2014, it has since become a widely popular open source container orchestration system. While this tool has evolved a lot in these 8 years, there are still certain problems that we need to work through on our own. In this article, we will learn how to protect our Kubernetes pods and clusters and discuss some of the Kubernetes security best practices. 1. Enable RBAC Role-based access control (RBAC) is one of the best security practices in Kubernetes, allowing administrators to grant and limit access to certain users and groups, and specify who can and cannot do what on the Kubernetes cluster. To enable RBAC permissions for Kubernetes resources, we must give a role for a namespaced resource and a ClusterRole for a non-namespaced resource to Kubernetes. RBAC adds an extra layer of security by allowing administrators to create administrative rules, give or take permissions, provide access to users, cluster role binding, and allow role binding.

2/10/2022
Read more from Steven Melanson
Published on HackMD