loading...

Automating my dependency management workflow

bdougieyo profile image Brian Douglas Updated on ・2 min read

Maintaining version management can be challenging when the desire for innovation and growth of the project gets in the way. Last year, GitHub announced their migration from Rails 3.2 to 5. As mentioned in that post, this was no small task and required a dedicated resource to manage. This Rails upgrade took a year and a half, and the Rails Core team has made a lot of improvements around making the update more approachable.

blog-header-link

My recent migration story started by enabling the Dependabot Preview on one of my repositories. Through notifications from the feature I discovered despite my best effort in leveraging the latest and greatest open-source tools, I failed to stay up to date with Webpack versions. Webpack had a major version upgrade from 1 to 2 back when I started my project, and similar to the Rails migration from 3.2, the path for upgrading was challenging. I knew this first-hand because I migrated my work repository over around the same time this project initiated.

Webpack today is now thriving and currently on version 4 with automated migration path via the CLI. Thanks to Dependabot’s discovery on this oversight through a computerized pull request and my existing Continuous Integration I could get started. In every Dependabot Pull Request release notes and changelog to help the maintainer with the QA review process.

For those who are unaware of Webpack is a static module bundler for modern JavaScript applications. A bundler Webpack bundle is leveraged during development or production build process. The vulnerability I alerted for indicated an issue where attackers can steal developer's code because the WebSocket server does not check the origin of requests.

pull request dependabot example

Thanks to this alert and the Webpack migration-CLI tool I was able to upgrade from Webpack version 1 to 4 in a Saturday evening. I was happy to get this alert and subsequent alerts after notifying me of opportunities to keep my project up to date and absent of vulnerabilities.

I have since managed to upgrade several other dependencies in this same project and plan to continue leveraging the latest versions here on out thanks to Dependabot. If you have a project that you or others care about, consider enabling Dependabot on your project today so you can get a notification when your project needs maintenance.

dependabot preview image

Posted on by:

bdougieyo profile

Brian Douglas

@bdougieyo

Brian is a developer advocate at GitHub, which means he likes chatting with developers about developer things and sometimes writes code.

Discussion

markdown guide