We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency Upgrades is the result of an exciting new partnership between Snyk and Neighbourhoodie Software, who are the makers of Greenkeeper and developer tooling innovators.

The Greenkeeper team has been in the business of helping developers keep their software up-to-date and healthy since 2015 and was among the pioneers in this space. Joining forces with another dev-friendly team was a natural choice for us and we’re proud to see the final result of this partnership now made available for both Snyk and Greenkeeper users.

The (growing) challenge of open source dependencies

Developers pull vast amounts of open source dependencies into their code, both direct and indirect. A lot of these dependencies include security vulnerabilities, and being able to apply fixes greatly depends on how up-to-date these dependencies are; the further behind your version is, the harder it gets to upgrade.

Staying on top of vulnerable and out-of-date dependencies is critical for keeping applications both secure and healthy. It’s also virtually impossible for even the most skilled team of developers without automation in place. Manually reviewing dependencies across projects and upgrading them when necessary is a daunting task, to say the least.

With Automatic Dependency Upgrades, Snyk Open Source continuously monitors any integrated project and automatically triggers actionable, context-rich pull requests when new versions for dependencies are identified. Full control over pace and scope ensures developers aren’t overwhelmed with too many upgrades. Leveraging Snyk’s comprehensive and always up-to-date vulnerability database, Automatic Dependency Upgrades also ensures that recommended versions never introduce new vulnerabilities.

Dev-friendly upgrade workflows

At Snyk, our goal has always been to provide developers with tools that fit into their existing workflows instead of creating new ones. Automatic Dependency Upgrades is no exception to this rule, integrating natively into code repositories and triggering automatic dependency upgrades just like any other pull request.

As with any pull request, dependency upgrade pull requests can be reviewed and verified before merging to ensure there is no risk of breakage. In the same spirit, Snyk won’t trigger an upgrade pull request for a dependency version less than 21 days old, as our research has shown that this can help avoid illegitimate versions, in the case that the maintainers account is compromised and a deliberately malicious version released.

Make data-informed upgrade decisions

Unlike other automated solutions that simply push updates on new versions, Snyk provides contextual and actionable information to help developers make more informed upgrade decisions. This becomes extremely important in projects including a large number of outdated dependencies and helps prioritize what to upgrade.

Snyk’s automated upgrade pull requests include details on the maturity of the suggested upgrade and dependency release notes. Details on security vulnerabilities that the upgrade remediates are also provided, including their severity level and whether there are any known exploits for the specific vulnerability.

Control the pace of upgrades

While it’s crucial for the overall health of projects that dependencies are up-to-date, sifting through pull requests for every new version of every dependency can be a daunting and time-consuming task. We wanted to make sure developers are not overwhelmed by too much noise and therefore added control over the pace and scope for upgrade pull requests.

Since major version upgrades tend to be riskier, the default settings in Snyk trigger upgrade pull requests for minor version upgrades or patches only. Users can change this behavior and ask Snyk to trigger upgrade pull requests for major version upgrades as well – one of the things Neighbourhoodie helped us implement as part of our partnership.

Snyk allows you to limit the number of upgrade pull requests open at any given time and also specify any specific dependencies you wish to be ignored.

So…how do I get started?

Automatic Dependency Upgrades is available in all Snyk Open Source plans – Free, Standard, Pro and Enterprise. To start using this feature, simply sign up with Snyk, integrate your projects, and wait for an incoming pull request with recommended upgrades for your dependencies!

Automatic Dependency Upgrades is currently supported in npm, Maven-Central and Yarn projects on GitHub/GitHub Enterprise and Bitbucket Cloud. Additional project types will be supported soon so stay tuned for news.

For more information on this feature and Snyk Open Source, check out:

Happy upgrading!