By Tom Willis
Introduction
If you’re like me, you have many projects that use open-source software dependencies. These can be great libraries, such as NumPy and Pandas if you are working with data in a Python project. They could be helpful development tools like Vite and Vitest for React development. You might be using Spring Boot in your microservice. Perhaps you are a DevOps engineer and use ArgoCD to deploy workloads to your Kubernetes cluster with Git.
Or perhaps you’re a Systems Administrator using Git to manage thousands of servers with configuration management tooling such as Puppet modules or Ansible roles. Whatever language and platform you are working in today, you probably have dependencies on libraries and tools someone else is writing and, you hope, maintaining.
1. Use Renovate to automate
I hate toil, that non-scaling, repetitive, manual, repetitive, reactive, but ultimately automatable work that can clog up our schedule as engineers. Renovate is powerful auto dependency update software that Flexion has been using for dependency management for some time now. It helps us:
- Save time
- Increase productivity
- Safeguard our operations
Renovate wins for large projects and small projects. We use Renovate on small open-source projects that don’t require many changes to the code because it automatically keeps the dependencies up to date with very little human intervention. More significantly, we use it to manage dependencies for large clients with dozens of active repositories.
Once configured to your liking, Renovate bot will automatically create pull requests (PRs) to keep updating your dependencies, which you can do through your usual PR process. If you trust your system of tests and your continuous integration (CI) process, you can even have the Renovate bot merge its PRs if all of your CI quality gates pass. I love this for minor and patch updates on systems where I trust my test suite and let the robot merge those changes. Renovate provides that automation so we can do something more productive with our time.
Pull requests (PRs) to Update Dependencies
2. Manage your dependencies more easily
Have you used Dependabot to automate dependency management? Some of us have made homebrewed solutions leveraging yarn update, pip update, or even ‘gradle –refresh-dependencies’ with a test cycle and a git commit to automate dependency management. None of these options has the support (as I write this, Renovate was updated six hours ago) or the configurability of Renovate.
You can ask Renovate to do a little (such as focusing on a worrisome subset of dependencies) or do a lot (automatically merge all the updates that pass the quality gates, but only at night). These are a lot of tasks to ask a robot to execute. The way to find success and reduce that odious toil is to take small steps.
3. Cater to the needs of DevOps and System Administrators, too
Renovate isn’t just for Software Engineers; it’s also a valuable tool for DevOps engineers and even system administrators who use GitOps management techniques. In the following scenarios, see how Renovate can help other types of team members:
Updating Actions on Renovate
- Do you operate Kubernetes infrastructure using GitOps? Renovate can help you manage your Dockerfiles, manifests, and helm charts.
- Are you using CI solutions like GitHub actions, Travis CI, or Woodpecker? Renovate can keep all of those included actions up to date.
- Are you managing a large fleet of servers using a configuration management tool like Ansible or Puppet, driven by a GitOps workflow? If so, Renovate supports both of them.
- Do you have Terraform providers? Those can be updated and managed by the Renovate bot.
If there’s a tool you use that maintains dependencies in a git repo, Renovate can likely help you manage it. For more details, check out the Renovate documentation.
4. Streamline your repository management safely
You have a lot of repositories to manage. Choose an accessible, well-behaved repository with a good CI test suite and configure it to let Renovate make PRs for something that feels safe, such as patch updates related to one language. Get a feeling for what it is like to have a new helper on the team.
And this isn’t only a tool for GitHub.com. Renovate supports the most common Git hosting provider backends. Use GitLab? You’re set. How about BitBucket? Works there, too. Other platforms like Gitea, Azure DevOps, or GitHub Enterprise are supported. Renovate can give you a consistent experience across all VCS platforms, which makes it an excellent tool for you, whether you’re using one of the SaaS Git hosting providers or your private instance away from the prying eyes of the public internet.
5. Reduce the noise while reducing toil
If you have a project with many dependencies, Renovate might come on strong at first and create a lot of PRs. It might create them during the workday and annoy folks on the team. Here is where Renovate shines: it is very configurable, and the documentation offers thought-provoking suggestions for noise reduction so you don’t overwhelm engineers while trying to reduce toil.
I recommend letting Renovate be active during nighttime or other hours when team members are not trying to work. Once you have tuned it to a cadence that works for you and your team, consider turning on the auto-merge feature and have even more toil reduction.
6. Stay ahead with security in OSS Dependencies
Staying on top of the latest versions is a winning strategy for dealing with vulnerabilities in OSS dependencies. Using Renovate, we can scan for vulnerabilities using a variety of tools, including:
- Static application security testing
- Software composition analysis
- Dynamic application security testing
- Container vulnerability scanning
These tools help our teams experience less toil dealing with vulnerabilities found by the risk information sources because Renovate applies security patches as soon as they are available and pass muster.
Summary
You don’t want to toil in the field of dependency management, so let the robot do it for you. Renovate is endorsed by OpenSSF and Google as the industry standard for dependency updates. And by me.
Want help with your next project? Contact Flexion now to harness the power of Renovate.
Tom Willis is a seasoned software engineering leader and innovator with extensive experience in the tech industry. An inventor with numerous patents, Tom is passionate about converting ideas into tangible software solutions. His approach emphasizes collaboration and continuous improvement, inspired by agile and DevSecOps practices. As a Flexioneer, he focuses on organizational culture improvements and the art of software quality in the complex spaces where our clients work.
