Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
renovate
Advanced tools
Renovate is a powerful tool for automating dependency updates in your projects. It helps keep your dependencies up-to-date, ensuring that your project remains secure and compatible with the latest versions of libraries and tools.
Automated Dependency Updates
Renovate can automatically update your dependencies by creating pull requests for new versions. The configuration above extends the base configuration, which includes sensible defaults for most projects.
{
"extends": ["config:base"]
}
Customizable Configuration
You can customize Renovate's behavior using a configuration file. In this example, packages that match the pattern '^@my-org/' are grouped together in a single pull request.
{
"extends": ["config:base"],
"packageRules": [
{
"packagePatterns": ["^@my-org/"],
"groupName": "my-org packages"
}
]
}
Scheduling Updates
Renovate allows you to schedule when updates should be created. The configuration above schedules updates to be created before 5 AM on Mondays.
{
"extends": ["config:base"],
"schedule": ["before 5am on monday"]
}
Dependabot is a GitHub-native tool for automating dependency updates. It is similar to Renovate in that it creates pull requests for new versions of dependencies. However, Dependabot is more tightly integrated with GitHub and may be easier to set up for users already using GitHub.
Greenkeeper is another tool for automating dependency updates. It was one of the first tools in this space and offers similar functionality to Renovate. However, Greenkeeper has been deprecated in favor of Snyk, which now includes similar features.
Snyk is a comprehensive security tool that includes features for automating dependency updates. While it offers similar functionality to Renovate, Snyk also provides additional security features such as vulnerability scanning and remediation.
Renovate is an automated dependency update tool. It helps to update dependencies in your code without needing to do it manually. When Renovate runs on your repo, it looks for references to dependencies (both public and private) and, if there are newer versions available, Renovate can create pull requests to update your versions automatically.
Renovate can provide updates for most popular languages, platforms, and registries including: npm, Java, Python, .NET, Scala, Ruby, Go, Docker and more. Supports over 90 different package managers.
Renovate updates code repositories on the following platforms: GitHub, GitLab, Bitbucket, Azure DevOps, AWS Code Commit, Gitea, Forgejo, Gerrit (experimental)
The most effective way to run Renovate is to use an automated job scheduling system that regularly runs Renovate on all enabled repositories and responds with priority to user activity. Mend offers cloud-hosted and self-hosted solutions. See the options below.
Supports: GitHub.com, Bitbucket Cloud
Hosted by Mend.io. No setup is needed. Community plan available (Free)
Supports: GitHub, GitLab, Bitbucket Data Center
Install and run your own Renovate server. Access internal packages.
If you can’t use a pre-built job scheduling system, or want to build your own, the following options are available:
Mend provides a GitHub Action or a GitLab Runner to help you run Renovate as a CI pipeline job.
There are several ways to run the Renovate CLI directly. See docs: Running Renovate for all options.
Supports: all platforms
Please open a Discussion to get help, suggest a new feature, or to report a bug. We only want maintainers to open Issues.
To contribute to Renovate, or run a local copy, please read the contributing guidelines.
The Renovate project is proudly supported and actively maintained by Mend.io.
Follow us on:
If you find any bug with Renovate that may be a security problem, then e-mail us at: renovate-disclosure@mend.io. This way we can evaluate the bug and hopefully fix it before it gets abused. Please give us enough time to investigate the bug before you report it anywhere else.
Please do not create GitHub issues for security-related doubts or problems.
FAQs
Automated dependency updates. Flexible so you don't need to be.
The npm package renovate receives a total of 160,007 weekly downloads. As such, renovate popularity was classified as popular.
We found that renovate demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.