Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[FEATURE] Add auto dependency upgrades for SDK #185

Closed
saratvemulapalli opened this issue Oct 12, 2022 · 4 comments · Fixed by #209
Closed

[FEATURE] Add auto dependency upgrades for SDK #185

saratvemulapalli opened this issue Oct 12, 2022 · 4 comments · Fixed by #209
Assignees
Labels

Comments

@saratvemulapalli
Copy link
Member

Is your feature request related to a problem?

Add github dependabot support which raises PRs when security issues are found within code.

What solution would you like?

Write up dependabot.yml and configure it for the repo[1].

[1] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates

@dbwiddis
Copy link
Member

dbwiddis commented Oct 12, 2022

I recently replaced Dependabot on my repo with Renovate. I consider it much better of a product. Some advantages:

  • If you want it to act just like Dependabot you can, but you can even customize time of day of the PRs, or just let them come whenever detected. It's always faster than Dependabot which I think only runs once daily, which is important for security-based issues.
  • Bump PRs have a header with badges displaying the quality of the dependencies. See an example here. What the age of the version is, what percentage of Renovate users have upgraded, what percentage of them have passing tests. This is invaluable for evaluating major version bumps and adoption/quality.
  • You can group/batch version bumps together. I have done this to batch my build plugins (to get a single PR instead of 3 for ones that release together, for example) to reduce the PR noise. Here's an example batch PR
  • It creates a "Dashboard" issue that shows you any pending bumps or ones you've intentionally suppressed. See example here.
  • It has the ability to auto-merge its own PRs, which I've enabled for minor and patch versions of build plugins. We probably don't want that feature here, but it's available :)
  • Sample config file: simple (and I even have a more "advanced" config).

Unless there's a reason we are tied to the same system as OpenSearch, I'd consider it. Heck, I might submit an issue to OpenSearch to recommend it :)

@dbwiddis
Copy link
Member

Some bloggers like Renovate:

Other reasons Renovate is awesome (and no I'm not a paid shill):

  • The company behind it (Mend) is a rebrand from WhiteSource which we already use/trust in our CI
  • Dependabot works great for Github. Because it's developed by GitHub. As an independent product, Renovate supports many more platforms than GitHub, which may or may not be relevant in our future if we have more Docker integration, etc.

@saratvemulapalli
Copy link
Member Author

Thanks @dbwiddis. I didnt know Mend Renovate is really better. I really like that.
I am happy as long as dependencies are being upgraded : )

@saratvemulapalli saratvemulapalli changed the title [FEATURE] Add dependabot support for SDK [FEATURE] Add auto dependency upgrades for SDK Oct 13, 2022
@dbwiddis
Copy link
Member

This needs to be initially setup by an owner of opensearch-project. How do we request that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants