Did you know that snyk has automated dependency upgrades on-top of opening security fix Pull Requests to your GitHub or Bitbucket repositories? 🎉
What is so special about Snyk in this space?
✨ we will never recommend you an upgrade for a version that introduces a new vulnerability ✨
How awesome is that?
There's a lot of powerful metadata around this capability from the snyk app and I'm going to detail all of the great things I like about it in this following post
First off, the PR provides health information about the recommended upgrade:
✅ The recommended version is 1 version ahead of your current version
✅ The recommended version was released 8 days ago, on 2020-01-11
Here is a reference to this PR: https://github.com/lirantal/bazz-serverless-firebase/pull/13 if you wanted to take a closer look.
That kind of dependency health overview gives you more context into the freshness of the new version being proposed, as well as the risks of merging it due to possible breaking-changes.
Remember, semver is mostly semantic and there's nothing that enforces it.
Next, the pull request easily details all the release notes for this version and the commit history so you can inspect all of that from the PR page without drifting off to the dependency's own GitHub pages, etc.
If you did want to further review the actual changes from your own version of the dependency and the proposed upgrade there's a "Compare' link which takes you to the GitHub's diff page exactly for that!
You don't want to receive further automatic updates on this dependency for some reason? no worries, there's a button right there to take you to
the Snyk app settings page where you can ignore it completely.
Do you only want to subscribe to patch/minor vs major upgrades? pick which pull requests you want to get from the Snyk app settings page:
Do you feel that constantly opening pull requests to perform dependency version upgrades is adding noise and churn on your team? I agree.
In the settings page you can limit the amount of simultaneous pull requests that will be open to reduce the noise on the team
The commit message for the PR is semantic as well as details all the necessary information as to the relevant package page and the snyk project for further follow-up if necessary
Lastly, what the best thing about these automatic dependency upgrades from @snyksec?
✨ we will never recommend you an upgrade for a version that introduces a new vulnerability ✨
The End.
Are you using any other dependency upgrade tool? what do you like about it?
I'd love to hear and discuss how we can make dependency upgrades a smoother and more informed process.
Top comments (2)
Indeed, Its brilliant feature!
Happy to hear you love it 🤗