Enable javascript in your browser for better experience. Need to know to enable it? Go here.
Last updated : Oct 28, 2020
Not on the current edition
This blip is not on the current edition of the Radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the Radar Understand more
Oct 2020
Adopt ? We feel strongly that the industry should be adopting these items. We use them when appropriate on our projects.

Among the available tools for keeping dependencies up to date, Dependabot is a solid default choice in our opinion. Dependabot's integration with GitHub is smooth and automatically sends you pull requests to update your dependencies to their latest versions. It can be enabled at the organization level, so it's very easy for teams to receive these pull requests. If you're not using GitHub, you can still use the Dependabot libraries within your build pipeline. If you're interested in an alternative tool, also consider Renovate, which supports a wider range of services, including GitLab, Bitbucket and Azure DevOps.

Nov 2019
Trial ? Worth pursuing. It is important to understand how to build up this capability. Enterprises should try this technology on a project that can handle the risk.

Keeping dependencies up to date is a chore, but for security reasons it's important to respond to updates in a timely manner. You can use tools to make this process as painless and automated as possible. In practical use our teams have had good experiences with Dependabot. It integrates with GitHub repositories and automatically checks dependencies for new versions. When required, Dependabot will open a pull request with upgraded dependencies.

May 2018
Assess ? Worth exploring with the goal of understanding how it will affect your enterprise.

Keeping dependencies up to date is a chore, but it's important to manage upgrades frequently and incrementally. We want the process to be as painless and automated as possible. Our teams have often hand-rolled scripts to automate parts of the process; now, however, we integrate commercial offerings to do that work. Dependabot is a service that integrates with your GitHub repositories and automatically checks your project dependencies for new versions. When required, Dependabot will open a pull request with upgraded dependencies. Using features of your CI server, you can automatically test upgrades for compatibility and automatically merge compatible upgrades to master. There are alternatives to Dependabot, including Renovate for JavaScript projects and Depfu for JavaScript and Ruby projects. Our teams, however, recommend Dependabot because of its multilanguage support and ease of use.

Published : May 15, 2018
Radar

Download Technology Radar Volume 25

English | Español | Português | 中文

Radar

Stay informed about technology

 

Subscribe now

Visit our archive to read previous volumes