From d4fbe4d8e04c58911ef8a84020ce8f7674d3c011 Mon Sep 17 00:00:00 2001 From: Tilman Ginzel Date: Mon, 30 Mar 2020 18:37:21 +0200 Subject: [PATCH] Add dependency update scan --- radar/2019-11-01/dependency-update-scan.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 radar/2019-11-01/dependency-update-scan.md diff --git a/radar/2019-11-01/dependency-update-scan.md b/radar/2019-11-01/dependency-update-scan.md new file mode 100644 index 0000000..1536f5f --- /dev/null +++ b/radar/2019-11-01/dependency-update-scan.md @@ -0,0 +1,19 @@ +--- +title: "Dependency Update Scan" +ring: assess +quadrant: methods-and-patterns + +--- + +Automated dependency scans are useful to remove the manual task of regularly checking for version updates. +Our teams are utilizing the Open Source bots [Renovate](https://github.com/renovatebot/renovate) and [Scala Steward](https://github.com/fthomas/scala-steward), both of which are running as a scheduled GitLab job in our internal infrastructure. +The bots are regularly creating merge requests with dependency version updates against our projects. + +Having this automated comes with a few advantages: + +- Important dependency updates are available very shortly after they have been published (e.g. for security issues) +- Changelogs are referenced in the merge requests, making it easy to review if the update is relevant +- An automatically triggered pipeline is running our test suites, giving us a high confidence that the version update is non-breaking if the pipeline was successful +- Regular small updates are easier to maintain than bulk updates of many libraries at once, reducing the risk of introducing compatibility breaking changes + +Automated merge requests allow us to focus on reviewing, testing and prioritization of dependency version updates with considerably less effort. \ No newline at end of file