CI/CD / Development / DevOps / Security

Automated Dependency Management with Depfu

4 May 2020 3:00am, by

What if you had a colleague who regularly sent you pull requests to help you stay on top of dependency updates? And those pull requests included all the information required to makes those updates easily?

That’s the notion behind Depfu, an automated dependency-management service that grew out of the Ruby on Rails ecosystem, but has grown to include JavaScript and Elixer projects as well.

It initially sends you three easy pull requests — security updates are sent first. Then when you merge or close one, it sends another but never more than seven at a time.

“It’s very easy to delay this process and say, ‘Well, we don’t have time for that. We have more important things to do.’ And so what we wanted to do is turn it into something that would just run all the time and be integrated into your developer workflow,” said co-founder Jan Krutisch.

Partners Florian Munz in Copenhagen and Krutisch in Hamburg, Germany, began working on Depfu in 2016. They had friends in Berlin who had built Greenkeeper, an automated dependency management tool for JavaScript, and with the Depfu duo’s long experience with Ruby on Rails, they thought it would be cool to do something similar for the Ruby ecosystem.

“It’s very easy to kind of delay this process and say, ‘Well, we don’t have time for that. We have more important things to do.’ And so what we wanted to do is turn it into something that would just run all the time and be integrated into your developer workflow,” said Krutisch.

You simply connect your Github or Gitlab repo to Depfu and it runs in the background checking your dependencies. You choose the repos that you give Depfu access to; you don’t have to add any files or change any settings. All interactions with your repo take place via the API. With Gitlab, it installs a bot-user to the repo and a webhook that provides information about relevant changes.

“Before I was always running bundle outdated first thing in the morning, but it was up to me to actually remember. With Depfu I wake up to PRs that I can act on right away,” said independent developer Robin Mehner.

Long History with Ruby

Munz and Krutisch had been working on Ruby on Rails applications since 2006.

“We really like that ecosystem. And we know that it’s not kind of the latest hotness, but at this point, I think it’s quite mature technology,” said Krutisch.

“Most of the work is done by a monolithic Rails application that runs the whole front end, but also runs some workers in the back end that do like schedule or updates, fetch all the information from the different package repositories to get all the update information and stuff like that.”

Then it uses specific small bits in the supported languages — for example, for Node.js, for npm packages it runs a little bit of JavaScript to update the dependency files.

“Because we want to make sure that we were not doing something different than what the original app you know, the original package manager would do. So that would be a little bit of JavaScript, a little bit of Elixir and whatever language is going to come in the future,” he said.

“The application runs on some pretty simple servers, we have a couple of small services that try to encapsulate some of the processes for security reasons because we need to execute code that comes from our clients’ repositories at times. And so that can be a security risk because we cannot really control what kind of code gets executed there. That’s the drawback of, for example, the way the package managers and Elixir and Ruby work because the dependencies are actually defined in a file that is Ruby or elixir itself. So to properly update that, we need to run that on sort of an isolated environment. And that’s essentially it.”

Seeking a Niche

Depfu is competing in a rapidly evolving space as competitors are acquired and their services offered for free. Its most visible competitor is GitHub itself, which last year acquired Dependabot, and has made it available covering dependencies written in Ruby, Python, Java, .NET, and JavaScript.

Its second-closest competitor, Renovate was acquired by WhiteSource. Meanwhile, their friends in Berlin who created Greenkeeper have passed the torch to Snyk. All three apparently are being folded into larger, security-focused systems.

That has Depfu trying to find its niche.

“We’re essentially competing right now against a lot of companies that I think maybe apart from Dependabot don’t have a huge incentive to put additional energy into these products,”  Krutisch said.

“We still have an incentive to make our product better because we know we can maybe catch a couple of people with features that the other the alternatives don’t have.”

It has decided to focus on an enterprise on-premise version and is working with a handful of larger clients.

One thing those clients have asked for, he said, is the ability to not only update dependencies but the runtime itself with a pull request.

“This is surprisingly complicated because it’s not as if the dependencies are just defined in one file. … For these runtime or engine updates, it can be defined in so many places. So you have a Docker container that needs to run the right version. You have the CI that needs to be configured to run the right version, then you probably have a file that defines the runtime version for your development environment. And so this is all very client-specific and so we are trying to come up with a way to flexibly but quickly update all of these files at once. So you can get a pull request that has everything in there to get you going on a new version and makes rolling out these new versions a lot quicker,” he said.

It’s been hard to test because, in contrast to smaller libraries, runtime updates usually come out only a few times a year year in some languages “and so we don’t have that many opportunities to test that,” he said.

It also wants to support more languages, like PHP and Go.

“But it’s not entirely clear to us what the current gold standard for dependency management on Java really is, so we’re definitely looking at these things,” he said.

Snyk is a sponsor of The New Stack.

Image by Bill Kasman from Pixabay

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.