Dependency Updates
2 minute read
Responsibility
Dependency updates are a responsibility of all project maintainers. All maintainers must be accountable for the updates they introduce and proper review provides a mechanism for reducing the potential for negative impact to the project.
Objectives
- Ensuring that all dependencies are updated to their latest versions
- Understanding the implications of updated dependency code
- Validating the provenance of the updated dependency
- Annotation of the reviewed dependency updates
Guidance
Through the use of Renovate, we can automate the process of updating our dependencies to their latest versions. With this automation comes the responsibility to review considerations and implications to the updates the changes introduce. Review of the dependency updates will begin as renovate creates a pull request with the dependency update. Review should then include the following:
- Review the dependency
release notes
included in the Pull Request - Compare the source code changes between tagged versions of the dependency
- Isolate and annotate any potential updates that may impact the project code
- Review updates for new features or processes that may be positively consumed by the project
- Validate the integrity / provenance of the updated dependency
- Golang checksums
- go.mod and project checksums
- NPM integrity
- tarball integrity validation
- Workflow Integrity
- Tag Commit checksum
- Golang checksums
- Annotation of the reviewed dependency updates for approval
- Include any relevant notes or considerations
- Include steps to validate the dependency updates
Examples
Golang Dependencies
Given a dependency in the go.mod file, the following steps are taken to validate the dependency:
- Identify the dependency source - IE github.com/open-policy-agent/opa
- Identify the tagged version - IE v0.62.1
- Curl the checksum of the tagged version - IE curl
https://sum.golang.org/lookup/${source}@${tag}
The following should be returned for use in validation:
github.com/open-policy-agent/opa v0.62.1 h1:UcxBQ0fe6NEjkYc775j4PWoUFFhx4f6yXKIKSTAuTVk=
github.com/open-policy-agent/opa v0.62.1/go.mod h1:YqiSIIuvKwyomtnnXkJvy0E3KtVKbavjPJ/hNMuOmeM=
NPM Dependencies
Given a dependency in the package-lock.json file, the following steps are taken to validate the dependency:
- Identify the resolved dependency archive - IE https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.19.tgz
- Curl the archive locally - IE curl -LO https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.19.tgz
- Perform a SHA512 hash on the archive - IE cat ./autoprefixer-10.4.19.tgz | openssl dgst -sha512 -binary | openssl base64 -A
- Compare results against the
integrity
field in the package-lock.json file
GitHub Action Dependencies
Review the updated commit hash of the tagged action against the tag of the action in the source git repository.
Notes
- Validation of the checksums is currently a manual process and a byproduct of not yet capturing the provenance of Renovates checksum process. Given that no single version of Renovate is being used (this is the non-self-hosted GitHub application), we do not track updates to the renovate runtime itself.
Feedback
Was this page helpful?