renovate
ort
Our great sponsors
renovate | ort | |
---|---|---|
113 | 3 | |
15,658 | 1,472 | |
3.5% | 1.6% | |
10.0 | 9.9 | |
3 days ago | about 2 hours ago | |
TypeScript | Kotlin | |
GNU Affero General Public License v3.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
renovate
-
Self-Hosted Is Awesome
> Yes, it is awesome until you have to sysadmin it, apply updates, patch it, fix security holes, etc. I am not saying all self-hosted solutions are like that. There are exceptions. However, the majority of open-source self-hosted solutions require a lot of extra work.
I'm currently self-hosting 10 different applications on my local server, which represents everything I've ever seen that looked fun or useful to me. Every one of them had a Docker image with an example compose file, which means updating them just requires periodically running Renovate [0] on the repo that stores all my compose files and then running a script that docker compose pulls the updates. It takes maybe 10 minutes every other week, and is actually kinda fun.
It helps that all the apps are only accessible from within my VPN, so I'm not too worried about fixing security updates within a tiny time window.
-
Why I recommend Renovate over any other dependency update tools
This is a big deal! Where did you read this? I found:
-
Locally test and validate your Renovate configuration files
Renovate is an automated dependency management tool that can be used to keep your dependencies up-to-date. It can be configured to automatically create pull requests to update your dependencies, and it supports a wide range of package managers and platforms.
-
Understanding Mend Renovate's Pull Request Workflow
To get started with Mend Renovate, the comprehensive official documentation provides detailed instructions on installation, configuration, and best practices. Additionally, the Mend Renovate community forum offers a platform for users to connect, share experiences, and access the collective knowledge base.
-
Unfork with ArgoCD
It is a good practice to keep software up to date. To track changes in upstream software, we can utilize automatic dependency tracking systems such as Dependabot or Renovate. This is a broad topic and requires a separate article to be covered. If you would like to read about it, please vote in the comments section below.
- 🦊 GitLab CI YAML Modifications: Tackling the Feedback Loop Problem
-
Evaluating New Software Forges
So do other forges: I have Renovate [0] set up on my self-hosted Forgejo and it's worked great so far.
-
Long Term Ownership of an Event-Driven System
You can ease some of the burden for yourself though using tooling. If you are using GitHub, dependabot can be configured to make automatic PRs to your repo whenever there are dependencies to update. If you're not a GitHub user, you can use renovate which even supports self hosting.
-
How to Manage Helm Chart Dependency Versions?
Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.
- Dependency inventory / dashboard for multiple maven projects
ort
-
Microsoft open sources Salus software bill of materials (SBOM) generation tool
> Do HN got a recommendation for other CLI based SBOM generators?
Try ORT https://github.com/oss-review-toolkit/ort (full disclosure I am one of its maintainers and also a the lead of the SPDX Defects/Security Profile).
If people have questions on SBOMs, comparing SCA/SBOM tools or ORT - feel free to reach out to me https://github.com/tsteenbe/
ORT plug below ;-)
ORT is much more than a SBOM generator though, it's a cli/library that enables you to safely use, integrate, modify and redistribute third party software including FOSS.
You can use ORT to:
1. Generate CycloneDX or SPDX SBOMs for your software project
-
OPEN source alternative to whitesource
Depends if you are interested in both the license and security side of things. There are tools like ORT (https://github.com/oss-review-toolkit/ort) that are quite powerful but have a little learning curve. I also know about initiatives like OpenChain and Double Open (https://github.com/doubleopen-project/doubleopen-publications/blob/master/publication.md#double-open-landscape-survey) that have information available.
- OSS Review Toolkit: analyze dependencies of a project, download them, scan them for licenses, security advisories, and much more
What are some alternatives?
dependabot-core - 🤖 Dependabot's core logic for creating update PR's.
scancode-toolkit - :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!
dependabot
dependency-track - Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
scala-steward - :robot: A bot that helps you keep your projects up-to-date
barista - project barista - open source license and vulnerability management
updatecli - A Declarative Dependency Management tool
tern - Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
github-actions-and-renovate
fossology - FOSSology is an open source license compliance software system and toolkit. As a toolkit you can run license, copyright and export control scans from the command line. As a system, a database and web ui are provided to give you a compliance workflow. License, copyright and export scanners are tools used in the workflow.
bitbucket-branch-source-plugin - Bitbucket Branch Source Plugin
sbom-tool - The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.