Automate NPM packages security fixes with recurring tasks on CI

Alex Barashkov on May 09, 2019

When developing on Node.js, our team uses a lot open source NPM packages. Each of them has their own benefits and drawbacks that they bring to your... [Read Full]
markdown guide

We run "audit" as part of our test suite and have dependabot set up to automatically update dependencies. Works great if you have a comprehensive test suite.

Interesting idea to have a cron job though. I'm honestly not sure sure if that is necessary with dependabot. Time to ask :)

I maintain a lot of repos, so removing maintenance overhead is a big priority. Feel free to take a look at the setup here (all repos are set up the same way):


dependabot is not free for org github accounts.
Having npm audit as a part of test suite cause unpredictable behaviour, since usually you also run tests in order to deploy something to production for example. Your tests previously passed but the moment you started deploy or planned to deploy, you could get error from npm audit.


(1) Not true (for open source that is).

(2) Right, absolutely agreed. We have a grace period depending on severity for that reason

My preference is to have a failure and know about the security problem if it's severe. This should not be a problem if everything else in your pipeline is handled appropriately


Dependabot is now part of and completely free 🎉


I run:

➜ npm outdated         
npm ERR! Not implemented yet

I updated npm to the latest:

➜ npm i npm -g                                                                                       
/Users/itspare/.nvm/versions/node/v10.15.1/bin/npx -> /Users/itspare/.nvm/versions/node/v10.15.1/lib/node_modules/npm/bin/npx-cli.js
/Users/itspare/.nvm/versions/node/v10.15.1/bin/npm -> /Users/itspare/.nvm/versions/node/v10.15.1/lib/node_modules/npm/bin/npm-cli.js
+ npm@6.9.0
updated 1 package in 8.429s

but still:

➜ npm version 
{ 'platform-ui-web': '5.2.1',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }

➜ npm outdated
npm ERR! Not implemented yet

Do you have it on your local machine, docker or Drone CI? It seems like you try it on local machine and I suppose it some issue with nvm/npm in your case, since it 100% works in docker.


Loving the automatic PR creation. Very nice work 👍

code of conduct - report abuse