{"id":4158,"date":"2024-09-04T11:49:52","date_gmt":"2024-09-04T09:49:52","guid":{"rendered":"https:\/\/davidperezgar.com\/en\/?p=4158"},"modified":"2024-09-04T11:49:54","modified_gmt":"2024-09-04T09:49:54","slug":"how-to-keep-your-dependencies-up-to-date","status":"publish","type":"post","link":"https:\/\/davidperezgar.com\/en\/blog\/how-to-keep-your-dependencies-up-to-date\/","title":{"rendered":"How to keep your dependencies up to date"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">When we program in PHP\/JS and use libraries like composer or npm, which are fundamental in our work. Having them updated is fundamental for security reasons mainly. This makes our programming more secure and even if it depends on third parties, it is also up to date.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69eb6bfd02ee4\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69eb6bfd02ee4\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/davidperezgar.com\/en\/blog\/how-to-keep-your-dependencies-up-to-date\/#What_is_dependabot\" >What is dependabot?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/davidperezgar.com\/en\/blog\/how-to-keep-your-dependencies-up-to-date\/#Key_features_of_Dependabot\" >Key features of Dependabot:<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/davidperezgar.com\/en\/blog\/how-to-keep-your-dependencies-up-to-date\/#Typical_Dependabot_workflow\" >Typical Dependabot workflow:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/davidperezgar.com\/en\/blog\/how-to-keep-your-dependencies-up-to-date\/#How_to_implement_it\" >How to implement it<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_dependabot\"><\/span>What is dependabot?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dependabot is an integrated tool on GitHub that helps to manage and maintain the dependencies of a software project automatically. It takes care of regularly checking dependency configuration files, such as <code>package.json<\/code> files in Node.js projects, composer.json for PHP, <code>pom.xml<\/code> in Java projects, <code>Gemfile<\/code> for Ruby, among others. Dependabot detects if any of the dependencies are out of date or have security vulnerabilities, and can automatically generate pull requests (PRs) to update those dependencies.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pull requests allow us to review the proposed enhancement code and approve it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_features_of_Dependabot\"><\/span>Key features of Dependabot:<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Dependency Update<\/strong>: Dependabot periodically checks project dependencies and generates automatic PRs with suggestions to update versions that have changed. This allows us to keep the project&#8217;s libraries and tools up to date without having to do it manually.<\/li>\n\n\n\n<li><strong>Patching Security Vulnerabilities<\/strong>: GitHub, through its vulnerability database, notifies Dependabot when it detects a vulnerability in any dependency. Dependabot can then generate a PR to upgrade that dependency to a secure version.<\/li>\n\n\n\n<li><strong>Flexible Configuration<\/strong>: We have a configuration file of how and when Dependabot runs. You can define the time intervals (daily, weekly, etc.), which files it should monitor, and whether it should create automatic PRs or simply notify about updates.<\/li>\n\n\n\n<li><strong>Integration with GitHub workflow<\/strong>: PRs created by Dependabot integrate with existing CI\/CD workflows. For example, updates can be automatically tested using unit tests and other mechanisms that the project already has configured.<\/li>\n\n\n\n<li><strong>Multi-language support<\/strong>: Dependabot supports a wide range of languages and dependency managers, such as Node.js, Python, Java, Ruby, PHP, Go, and more.<\/li> <\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Typical_Dependabot_workflow\"><\/span>Typical Dependabot workflow:<span class=\"ez-toc-section-end\"><\/span><\/h3>.\n\n\n\n&#8211;>\n<ol class=\"wp-block-list\">\n\n<li>Dependabot regularly scans the project&#8217;s dependency file<\/li>.\n\n\n<li>When it finds a new version of a dependency (or if it detects a security vulnerability), it creates an automatic PR with the corresponding update.<\/li>\n\n <!\n\n\n\n<li>We need to review the PR, look at the proposed changes and decide whether to accept the update.<\/li>\n\n\n\n<li>If the PR is accepted, it is integrated into the project and the dependencies are updated.<\/li>\n\n\n<p><!\n<!-- \/wp:post-content --><\/ol>\n<p><!-- \/wp:list --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>In summary, <strong>Dependabot<\/strong> is a very useful tool for keeping project dependencies up to date, reducing the risk of security vulnerabilities, and minimizing the manual work associated with dependency management in software projects.<\/p>\n<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:heading --><\/p>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_to_implement_it\"><\/span>How to implement it<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>?<br \/>\n<!-- \/wp:heading --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>Assuming you are developing a <a href=\"https:\/\/close.technology\" target=\"_blank\" rel=\"noopener\">plugin for WordPress<\/a> or it can also work for PHP, I include the configuration file I use in my repositories.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>The configuration of this <strong><em>dependabot<\/em><\/strong> is based on the <a href=\"https:\/\/github.com\/WordPress\/plugin-check\/\" target=\"_blank\" rel=\"noopener\">Plugin Check Plugin for WordPress<\/a>, which I highly recommend, and I have added a setting that serves me well in my workflow. So, my dependabot does:<\/p>\n<p>.<br \/>\n<!-- \/wp:paragraph --><\/p>\n<p><!-- wp:list --><\/p>\n<ul class=\"wp-block-list\"><!-- wp:list-item --><\/p>\n<li>Check github, npm and composer action dependencies<\/li>\n<p>.<br \/>\n<!-- \/wp:list-item --><\/p>\n<p><!-- wp:list-item --><\/p>\n<li>Check it every week.<\/li>\n<p><!-- \/wp:list-item --><\/p>\n<p><!-- wp:list-item --><\/p>\n<li>It has a limit of 10 PR.<br \/>\n<!-- \/wp:list-item --><\/p>\n<p><!-- wp:list-item --><\/p>\n<li>The PR is done on the &#8220;develop&#8221; branch which is the one I normally use.<\/li>\n<\/li>\n<p> <!-- \/wp:list-item --> <!\n<!-- \/wp:list-item --><\/ul>\n<p><!-- \/wp:list --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>To get it going, you will only need to create this file in the default branch you have on GitHub, such as <em>trunk<\/em>, <em>main<\/em>, or <em>master<\/em>.<\/p>\n<p><!-- \/wp:paragraph --><\/p>\n<p><!-- wp:code --><\/p>\n<div class=\"cbc-code-wrapper\"><div class=\"cbc-code-bar\"><button class=\"cbc-copy-button\">Copy<\/button><\/div><pre class=\"wp-block-code\"><code class=\"\">.github\/dependabot.yml<\/code><\/code><\/pre><\/div>\n<p>.<br \/>\n<!-- \/wp:code --><\/p>\n<p><!-- wp:paragraph --><\/p>\n<p>With the following content:<\/p>\n<p>.<br \/>\n<!-- \/wp:paragraph --><\/p>\n<p><!-- wp:code --><\/p>\n<div class=\"cbc-code-wrapper\"><div class=\"cbc-code-bar\"><button class=\"cbc-copy-button\">Copy<\/button><\/div><pre class=\"wp-block-code\"><code class=\"\">version: 2\nupdates:\n    - package-ecosystem: github-actions\n      directory: '\/'\n      schedule:\n          interval: weekly\n      open-pull-requests-limit: 10\n      target-branch: \"develop\"\n\n    - package-ecosystem: npm\n      directory: '\/'\n      schedule:\n          interval: weekly\n      open-pull-requests-limit: 10\n      target-branch: \"develop\"\n\n    - package-ecosystem: composer\n      directory: '\/'\n      schedule:\n          interval: weekly\n      open-pull-requests-limit: 10\n      target-branch: \"develop\"<\/code><\/pre><\/div>\n<p><!-- \/wp:code --><\/p>","protected":false},"excerpt":{"rendered":"<p>When we program in PHP\/JS and use libraries such as composer or npm, which are fundamental in our work. Having them updated is essential for security reasons mainly. This makes our programming more secure and even if it depends on third parties, it is also updated. What is dependabot? Dependabot is a tool integrated in GitHub that helps to manage and maintain the dependencies of a software project automatically. It takes care of regularly checking dependency configuration files, such as package.json files in Node.js projects, composer.json for PHP, pom.xml in Java projects, Gemfile for Ruby, among others. Dependabot &#8230; <a title=\"Keeping your dependencies up to date\" class=\"read-more\" href=\"https:\/\/davidperezgar.com\/blog\/codigo\/como-mantener-tus-dependencias-al-dia\/\" aria-label=\"Read more about Keeping your dependencies up to date\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","inline_featured_image":false,"_ayudawp_aiss_exclude":false,"webmentions_disabled_pings":false,"webmentions_disabled":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4158","post","type-post","status-publish","format-standard","hentry","category-blog","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts\/4158","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/comments?post=4158"}],"version-history":[{"count":0,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts\/4158\/revisions"}],"wp:attachment":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/media?parent=4158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/categories?post=4158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/tags?post=4158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}