Renovate integration with Dependabot security alerts for transitive dependency upgrades #41825
Replies: 6 comments 9 replies
-
|
I think it's a great idea! But isn't renove already doing this on its own? Doesn't Renovate create PRs to bump packages even without security issues. |
Beta Was this translation helpful? Give feedback.
-
|
I'll be on holiday next week, but hope to get a more full response when I'm back - to use terminology from the Go ecosystem, this is a "likely accept", with some caveats (which I'll share more in the future) |
Beta Was this translation helpful? Give feedback.
-
|
This would be a great feature. We are evaluating Renovate as a replacement for Dependabot, but this is a missing feature that makes it tough to recommend. Dependabot is also struggling with pnpm transitive dependencies, so if Renovate could handle that we'd be more enthusiastic adopters. |
Beta Was this translation helpful? Give feedback.
-
I hope your holiday went well! I would be very interested in this feature as well and would love to hear more about the potential implementation. |
Beta Was this translation helpful? Give feedback.
-
|
This would be great, I just went looking for how to enable security updates for transitive dependencies and was surprised that it isn't a supported feature. I'll also add, the suggested workaround to enable
|
Beta Was this translation helpful? Give feedback.
-
|
Hey folks, apologies for the late reply on this - my TODO list increases roughly twofold every day 🫣 I can confirm that this is a "yes" we'll be up for implementing this - I'll add a bit more detail shortly and get an Issue raised |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Tell us more.
I’d like to open a discussion related to an increase in security issues in transitive dependencies of node modules. While Renovate does an excellent job of keeping direct dependencies up to date, it currently cannot update transitive dependencies unless the top-level dependency itself is updated. I understand this is an expected behaviour at the moment, but as a result, vulnerabilities in indirect dependencies often remain unresolved, especially when upstream packages are slow to release new versions.
I am wondering if the current behaviour can be extended to work together with Dependabot security alerts and open PRs that update dependencies to non-vulnerable versions, creating overrides if necessary? I expect this to target only those dependencies flagged by security alerts.
I’ve discussed this idea with @secustor, and we thought it might be worth opening it up to the community for consideration and feedback. Also, I would be happy to contribute to this topic.
Beta Was this translation helpful? Give feedback.
All reactions