Interested to make easy work keeping your projects 3rd party dependencies up to date? If so, push the easy button and read on.
I recently added Dependabot support for two of my GitHub projects, DeepViolet and DeepVioletTools. For anyone interested, these projects provide a TLS/SSL security scanning API and a sample set of reference cases demonstrating the API’s usefulness. The important point is that Dependabot makes easy work of upgrading your 3rd party dependencies by updating your Maven pom.xml to the latest library versions.
Dependabot is a like a watchdog alerting you when updates come out but it’s more than that since it also does the work of creating a GitHub PR. If you have a decent set of test cases checked in then you have some confidence that merging changes will not break your software. Of course, there’s always the possibility a new version of a 3rd party library could introduce some operational instabilities but if everything compiles properly, assuming you have a sizable cadre of unit test cases, and those test cases pass, then you have some confidence in your delivery. I don’t want to discourage additional testing but my point is Dependabot is good progress to reducing vulnerabilities in your software supply chain. I’m still experimenting with Dependabot but I’m blown away how cool this software is and the integration with GitHub. Bonus, a FREE version is available for the open source community.