When using various libraries, you may encounter several issues due to version problems.
For instance, an API might change when updated to a specific version, causing existing code to stop working.
Typically, the common practice here is to fix the version.
In Golang, you can specify the library versions in the go.mod file; in JavaScript, it’s in the package.json file; and in Python, it’s in the requirements.txt file, allowing each language to explicitly define the versions of the libraries it uses.
Vulnerabilities
However, fixing the version is not as good a solution as one might think.
Some might say not to fix what isn’t broken, but patches often include not just functionality updates but also critical updates like security patches.
For example, in Java, vulnerabilities were found in Log4j, prompting the need for version updates.
Because I also frequently write code with bugs, it’s not surprising that vulnerabilities can occur anytime, anywhere.
Patches
Generally, vulnerabilities can be patched through version updates.
However, if a developer is unaware of when and how to update or is not paying attention, they may still be using a vulnerable version of Log4j.
This is where Dependabot can be a quite reasonable alternative.
What is Dependabot?
Dependabot is an open-source library update notification service provided by Github. It periodically checks the dependencies in your repository and automatically updates packages when new versions or security vulnerabilities are found.
When a version change is detected, it creates a PR like the one above,
and by entering the PR, you can check release notes and the commit history included in that version.
By looking at the file changes, you can see a modification of the version like this:
Setting Up
Setting up Dependabot may seem complicated, but it’s not very difficult. You just need to add the following to the .github/dependabot.yml file.
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
The package-ecosystem varies depending on the programming language you are using. For example, I use golang, so I opted for gomod.
The directory indicates the directory where the go.mod file is located. In my case, I set it to / as it is in the root directory.
The schedule sets the frequency of updates; I have configured it to check for updates daily.
After pushing this file, if you go to the Actions tab, you will see that an action called Dependabot Update has been added,
and you can also see the execution history.
Is it Necessary?
In reality, unless there are significant issues, it is not essential to update versions. Especially when it comes to major version updates, most of them are not compatible with the previous minor versions, resulting in a higher probability of errors due to interface changes. Even beyond that, there are countless cases where updates can introduce bugs.
When combined with open-source software, it can lead to chaotic situations as no one bears actual responsibility for the code.
Just recently, there was a case where a backdoor was implanted due to an open-source supply chain attack on xz-utils.
Of course, it has been blocked.
Considering the chances of being exposed to vulnerabilities by upgrading versus the chances that an upgrade will fix vulnerabilities, the latter is considerably higher.
So, while it’s not mandatory, from a general perspective, using tools like Dependabot to conduct updates could be a reasonable solution.
Precautions
When the interface changes due to version updates, it can cause errors during deployment or testing, so it is generally advisable to run tests on CI/CD platforms like Github Actions.
Of course, the success of the tests does not guarantee the complete success of the version upgrade, but if the test code is well-structured, many bugs can be prevented in advance.