Automated Dependency Management with Depfu
What if you had a colleague who regularly sent you pull requests to help you stay on top of dependency updates? And those pull requests included all the information required to makes those updates easily?
It initially sends you three easy pull requests — security updates are sent first. Then when you merge or close one, it sends another but never more than seven at a time.
“It’s very easy to delay this process and say, ‘Well, we don’t have time for that. We have more important things to do.’ And so what we wanted to do is turn it into something that would just run all the time and be integrated into your developer workflow,” said co-founder Jan Krutisch.
“It’s very easy to kind of delay this process and say, ‘Well, we don’t have time for that. We have more important things to do.’ And so what we wanted to do is turn it into something that would just run all the time and be integrated into your developer workflow,” said Krutisch.
You simply connect your Github or Gitlab repo to Depfu and it runs in the background checking your dependencies. You choose the repos that you give Depfu access to; you don’t have to add any files or change any settings. All interactions with your repo take place via the API. With Gitlab, it installs a bot-user to the repo and a webhook that provides information about relevant changes.
“Before I was always running bundle outdated first thing in the morning, but it was up to me to actually remember. With Depfu I wake up to PRs that I can act on right away,” said independent developer Robin Mehner.
Long History with Ruby
Munz and Krutisch had been working on Ruby on Rails applications since 2006.
“We really like that ecosystem. And we know that it’s not kind of the latest hotness, but at this point, I think it’s quite mature technology,” said Krutisch.
“Most of the work is done by a monolithic Rails application that runs the whole front end, but also runs some workers in the back end that do like schedule or updates, fetch all the information from the different package repositories to get all the update information and stuff like that.”
“The application runs on some pretty simple servers, we have a couple of small services that try to encapsulate some of the processes for security reasons because we need to execute code that comes from our clients’ repositories at times. And so that can be a security risk because we cannot really control what kind of code gets executed there. That’s the drawback of, for example, the way the package managers and Elixir and Ruby work because the dependencies are actually defined in a file that is Ruby or elixir itself. So to properly update that, we need to run that on sort of an isolated environment. And that’s essentially it.”
Seeking a Niche
Its second-closest competitor, Renovate was acquired by WhiteSource. Meanwhile, their friends in Berlin who created Greenkeeper have passed the torch to Snyk. All three apparently are being folded into larger, security-focused systems.
That has Depfu trying to find its niche.
“We’re essentially competing right now against a lot of companies that I think maybe apart from Dependabot don’t have a huge incentive to put additional energy into these products,” Krutisch said.
“We still have an incentive to make our product better because we know we can maybe catch a couple of people with features that the other the alternatives don’t have.”
It has decided to focus on an enterprise on-premise version and is working with a handful of larger clients.
One thing those clients have asked for, he said, is the ability to not only update dependencies but the runtime itself with a pull request.
“This is surprisingly complicated because it’s not as if the dependencies are just defined in one file. … For these runtime or engine updates, it can be defined in so many places. So you have a Docker container that needs to run the right version. You have the CI that needs to be configured to run the right version, then you probably have a file that defines the runtime version for your development environment. And so this is all very client-specific and so we are trying to come up with a way to flexibly but quickly update all of these files at once. So you can get a pull request that has everything in there to get you going on a new version and makes rolling out these new versions a lot quicker,” he said.
It’s been hard to test because, in contrast to smaller libraries, runtime updates usually come out only a few times a year year in some languages “and so we don’t have that many opportunities to test that,” he said.
It also wants to support more languages, like PHP and Go.
“But it’s not entirely clear to us what the current gold standard for dependency management on Java really is, so we’re definitely looking at these things,” he said.
Snyk is a sponsor of The New Stack.
Image by Bill Kasman from Pixabay