Install Renovatebot to help manage dependencies. #305
Comments
|
Ah, pinning actions is smart. It looks like renovate has some really in depth functionality. For managing dependencies specifically, are there other benefits relative to dependabot? |
|
I just finished a roll out of dependabot at work at it seems to do everything while dependabot appears to just do CVE/security updates primarily. It doesn't appear to be uncommon to have both running. As for what I like about renovatebot:
As for installation, if you choose to install it it'll create a PR adding a renovate.json file to each repo. Once you merge it in, it'll scan/update and open more PR's as needed. I have a renovate.json i can share with you that has a number of settings I found helpful in my own setup. As for removal, just remove the github app and optionally delete the renovate.json from each repository. |
|
Awesome, I'm sold. Yeah, create the PR at your leisure and we'll get it merged in 🦾 |
|
@delano can you confirm if you installed this? https://github.com/apps/renovate |
I recently installed this in my work organization, and it's been huge in tracking updates and ensuring we are pinned to digest for all our dependencies. Ex. you have github actions that use @v1 instead of @v1:sha@XXXXXXX
Using @v1 can change or even worse be vulnerable to some supply chain issues while pinning to the @v1:sha... helps ensure no supply chain issues. It's worth noting if the action you are using isn't pinned you are still vulnerable to issues upstream from the action but it's at least once less thing to worry about.
It's simple to install: https://github.com/apps/renovate
Once you install it, all your repos will get a PR asking you to merge "renovate.json" feel free to accept it/merge and then it'll scan your repos for any dependency updates.
I have a slightly improved version of renovate.json that I'm using at work (OSS) and can share it with you as a follow-up PR.
The text was updated successfully, but these errors were encountered: