CoursesSoftware supply chain securitySecuring source & dependencies

Managing updates safely

Dependabot/Renovate and a patch cadence.

Intermediate10 min · lesson 6 of 18

Pinning dependencies creates a tension: pinned versions are reproducible, but frozen versions rot — they accumulate known vulnerabilities as CVEs are disclosed against them. The resolution is not to unpin, but to update deliberately and continuously. Automated update tools (Dependabot, Renovate) watch your locked dependencies, open a pull request when a new version is available, and let your normal review-and-test pipeline vet each bump. You stay pinned and current at the same time.

renovate.json
{
"extends": ["config:base"],
"packageRules": [
{ "matchUpdateTypes": ["patch", "minor"], "automerge": true,
"matchCurrentVersion": "!/^0/" }, // auto-merge low-risk patches that pass CI
{ "matchUpdateTypes": ["major"], "automerge": false } // majors get human review
],
"vulnerabilityAlerts": { "labels": ["security"], "automerge": false }
}

Separate the security update from the feature update

Treat a security-driven update differently from a routine one. A patch that fixes a known CVE should be fast-tracked — flagged, prioritized, and merged on a short clock, because the window between disclosure and exploitation is measured in days. Routine minor and patch bumps can flow through automatically once CI passes; major version bumps, which carry breaking-change risk, get human review. Encoding these tiers in the update tool means the urgent gets urgency and the routine does not consume attention.

A cadence, not a scramble

The goal is that updating is a steady, boring background process rather than a periodic emergency. Small, frequent, tested updates keep you close to current and make each change low-risk and easy to review; letting dependencies drift for a year turns the eventual update into a massive, scary, breaking migration that gets deferred further — which is exactly how you end up running the version with the famous CVE. A patch cadence is a security control precisely because it keeps you patchable.

Automated update PRs run your CI — trust matters
An automated dependency update opens a PR whose build runs in your pipeline, so the update tool and the new dependency both execute in CI. Keep those PRs running on non-privileged runners without production secrets (the runner-isolation principle), require your scans to pass before merge, and review what an automerge is actually merging. Automation that keeps you current is good; automation that auto-merges unreviewed code into a privileged pipeline is a new attack path.