How to Keep Your Package Dependencies Up to Date on Azure DevOps

Apoorv TyagiApoorv Tyagi
5 min read

Introduction

As a developer, how often have you seen a repository with packages that are out of date?

New package updates generally include new features, performance improvements, and security fixes. But keeping track of all outdated dependencies in your project can be really boring and a time consuming task, especially if you have lots of them.

So to do this sort of housekeeping, I tried out Dependabot.

How Dependabot Works

Dependabot goes through the dependency files of your project. For instance, it searches your package.json or pom.xml files and inspects for any outdated or insecure dependencies. If it finds any, it opens individual pull requests to update each one of them.

This tool is natively integrated with GitHub. But recently, I had to solve this problem of updating dependencies for a project running in Azure DevOps. So I decided to find a workaround to integrate Dependabot with Azure Pipelines. In this blog post, I will share my solution.

If you go to Azure DevOps Extension Marketplace and search for "Dependabot", you will find an extension by Tingle Software. Using this extension we can easily integrate Dependabot with our repos in Azure DevOps.

You can check if you have this extension in your "Organization Settings" in Azure DevOps. If not, make sure you have it installed before proceeding.

1-2

Installed Extensions - Azure DevOps

How to Create the Azure Pipeline

Let's now start with creating a new YAML file for your Azure pipeline:

trigger: none

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Run Dependabot'
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: dependabot@1
            displayName: 'Run Dependabot'
            inputs:
              packageManager: 'npm'
              targetBranch: 'develop'
              openPullRequestsLimit: 10

In the task parameters, I have specified three params:

  1. packageManager: It specifies the type of packages to check for dependency upgrades. Examples: nuget, maven, gradle, npm, and so on.

  2. targetBranch: It is an optional parameter that defines the branch to be targeted when creating pull requests. When not specified, Dependabot will pick the default branch of the repository.

  3. openPullRequestsLimit: This is again an optional parameter that specifies the maximum number of open pull requests to have at any one time. By default, it opens 5 pull requests at a time.

You can go through all the Task Parameters that the extension supports to tweak your implementation. Now just simply configure this YAML file with a new azure pipeline and then you're ready to run it.

3-2

Pipeline Configuration - Azure DevOps

The next step is to give your repository's Project Collection Build Service access so that Dependabot can create the pull request to your project's repositories.

For that, go to your project settings. Here, you click on the repositories and search for the repo where you have integrated the pipeline.

After you have selected that, click on the security tab and search for project collection build service. You have to allow the following access to it:

  • Contribute

  • Contribute to pull request

  • Create Branch

  • Create Tag

  • Force Push

2-1

Access to raise PR in Repo

With this, you're completely ready to run the pipeline. Once you do it, you'll start receiving pull requests in your repository with the updated packages.

5-3

PR raised by Dependabot

How to Schedule the Pipeline

Up to this point, you've had to manually trigger the pipeline to run. To make it run automatically, you can configure schedules for your pipelines. This will trigger your pipeline to start based on a schedule.

Use the following syntax and add it to the very top of your YAML file:

schedules:
- cron: string
  displayName: string
  branches:
    include: [ string ]
  always: boolean

The branches’ include parameter specifies which branches the schedule applies to.

The always parameter specifies whether to "always" run the pipeline or only if there have been any source code changes since the last successful scheduled run. The default is false.

For this case, you set its value to true as Dependabot updates are independent of any code changes.

The time zone for cron schedules is UTC and cron syntax is as follows:

mm HH DD MM DW
 \  \  \  \  \__ Days of week
  \  \  \  \____ Months
   \  \  \______ Days
    \  \________ Hours
     \__________ Minutes

So if you want to run your pipeline every week on Sunday at 12pm UTC, you would need to write - cron: "0 12 * * 0" (update the cron to suit your needs).

This is how your final YAML should look like after adding a schedule:

schedules:
  - cron: "0 12 * * 0"
    displayName: Weekly Dependency Updates
    branches:
      include:
      - develop
    always: true

trigger: none

stages:
  - stage: CheckDependencies
    displayName: 'Check Dependencies'
    jobs:
      - job: Dependabot
        displayName: 'Run Dependabot'
        pool:
          vmImage: 'ubuntu-latest'
        steps:
          - task: dependabot@1
            displayName: 'Run Dependabot'
            inputs:
              packageManager: 'npm'
              targetBranch: 'develop'
              openPullRequestsLimit: 10

This pipeline does the following for you:

It runs every week (Sunday 12pm UTC in this case) and looks for any outdated or insecure dependency. If it finds any, it opens pull requests to update each one of them individually.

Hopefully, this will help you to keep your project dependencies up to date in Azure DevOps!

Wrapping Up

With this, we come to the end of the article. My DMs are always open if you want to discuss further on any tech topic or if you've got any questions, suggestions, or feedback in general:

Happy learning!

0
Subscribe to my newsletter

Read articles from Apoorv Tyagi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Apoorv Tyagi
Apoorv Tyagi

Backend Engineering Lead. I write about practical tips and epic stories about my experiences in the field of computer science and engineering. If you enjoy reading my articles or found any of them helpful and want to show your support, you can do so by sponsoring this blog!