Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add dependabot.yml to monitor outdated dependencies #647

Merged
merged 2 commits into from
Oct 23, 2024

Conversation

cwperks
Copy link
Member

@cwperks cwperks commented Apr 22, 2024

Is your feature request related to a problem? Please provide an existing Issue # , or describe.

Adds dependabot.yml to run on a weekly basis to monitor for outdated dependencies in this repo.

Check List

  • Backport Labels added.
  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Copy link
Member

@ansjcy ansjcy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cwperks Thanks for the changes!

@cwperks
Copy link
Member Author

cwperks commented Oct 23, 2024

@Gaganjuneja Can we add this in as well? Dependabot makes maintainers lives a lot easier by watching for outdates dependencies proactively and using automation to create version bump PRs.

@Gaganjuneja
Copy link
Collaborator

@Gaganjuneja Can we add this in as well? Dependabot makes maintainers lives a lot easier by watching for outdates dependencies proactively and using automation to create version bump PRs.

Thanks @cwperks. Do we have this in OpenSearch core? Need to understand if this is approved to be used?

@cwperks
Copy link
Member Author

cwperks commented Oct 23, 2024

@Gaganjuneja Yes, dependabot is widely used across repositories in the OpenSearch project. Its used in core, plugin repos and other repos as well. It works with many dependency management systems including gradle like this repo uses.

Example config in security plugin: https://github.com/opensearch-project/security/blob/main/.github/dependabot.yml

Core's config: https://github.com/opensearch-project/OpenSearch/blob/main/.github/dependabot.yml

@Gaganjuneja Gaganjuneja merged commit 4589564 into opensearch-project:main Oct 23, 2024
6 of 7 checks passed
@cwperks
Copy link
Member Author

cwperks commented Oct 23, 2024

Main advantage of dependabot is proactive security fixes. W/o automated updates, usually it takes a scan of the built plugin zip file to see if there are any known CVEs that impact any of the jars. Dependabot does the heavy lifting by checking maven to see if new versions of a dep are available and makes a PR to update the dep.

This configuration does minor + patch updates, but does not explicitly perform major version updates of deps since those often require additional changes.

Its a similar config used across many repos in the project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants