top | item 40038461

(no title)

Nowadays there are automated tools like Dependabot (0) or RenovateBot (1) that make it simple to keep dependencies up to date. I can imagine the need originated from the JS ecosystem, but from a security standpoint it makes sense for almost any stack.

0: https://github.com/dependabot

1: https://docs.renovatebot.com/

discuss

alkonaut|1 year ago

Creating PRs with suggested outputs is one thing. But automating it all the way to deployment seems a bit much

AndreasHae|1 year ago

I think the idea is that for minor updates or patches, any potential breakages should be caught by the build pipeline or rolling deployments with automated rollback strategies (if you’re at a scale where this is feasible). Major updates will probably fail in the pipeline and require manual intervention either way.

I don’t think it makes sense for every project, but if recovery options are cheap then I don’t see anything that speaks against it.

trueismywork|1 year ago

Even in presence of an xz like attack?

mason55|1 year ago

Sure, why not? Are you suggesting that having a human in the loop, robotically bumping the version numbers of your dependencies would have mitigated it?

Lots of humans upgraded lots of dependencies without noticing, I doubt whoever is doing it in your org is special enough to be the one who would have caught it. And if they are, they should be working in security research, not bumping dependency versions in package.json.