Keeping your Xperience by Kentico project up-to-date using Dependabot
25/01/2024When building websites or applications, it is vital that you keep your third-party libraries and frameworks up-to-date. Security vulnerabilities are spotted and fixed regularly, so promptly applying updates is often considered a desirable practise for many clients.
There are many tools available such as Dependabot which act as packages scanners. You can use Dependabot to schedule automatic scans of your projects, identify outdated packages, and even raise pull requests for you to quickly apply the changes.
Over the years I have seen many open-source GitHub projects that use dependency scanners, but at IDHL we use Azure DevOps which makes using Dependabot slightly more difficult. As Dependabot runs natively in GitHub, you need to install an extension for Azure DevOps.
Let's take a look at how I set this up for my blog site! 👀
The first step is to set up the Dependabot configuration file, which lives in the repository at the location .github/dependabot.yml. GitHub has great documentation on how to configure this YAML file, and is definitely needed to fully understand how to configure it effectively.
version: 2
updates:
# Maintain dependencies for Kentico Admin project (npm)
- package-ecosystem: "npm"
directory: "/Goldfinch.Web.Admin/Client/"
# Maintain dependencies for Presentation site (yarn)
- package-ecosystem: "npm"
directory: "/Goldfinch.Web/wwwroot/sitefiles/"
# Maintain dependencies for NuGet packages for solution
- package-ecosystem: "nuget"
directory: "/Goldfinch.Web/"In my configuration file, I have three separate configuration blocks for three specific directories I want to check dependency updates.
The first block uses the npm ecosystem to check for any front-end dependencies that might need updating in my admin project, which I created previously for adding custom modules to my admin site.
The second block also checks the npm ecosystem for packages that might need updating for my presentation website project.
The final block checks the NuGet ecosystem for any .NET dependencies that might need updating.
However! You may prefer Dependabot doesn't automatically handle Xperience by Kentico package updates. When updating projects with the latest hotfixes or refreshes, it's essential to update the database as well as the packages. In this case, you might want to opt to create the pull request yourself after applying the hotfix manually.
If you have made the conscious decision to do this, you can add ignore rules to your configuration blocks like this:
version: 2
updates:
# Maintain dependencies for Kentico Admin project (npm)
- package-ecosystem: "npm"
directory: "/Goldfinch.Web.Admin/Client/"
ignore:
- dependency-name: "@kentico/*"
# Maintain dependencies for Presentation site (yarn)
- package-ecosystem: "npm"
directory: "/Goldfinch.Web/wwwroot/sitefiles/"
# Maintain dependencies for NuGet packages for solution
- package-ecosystem: "nuget"
directory: "/Goldfinch.Web/"
ignore:
- dependency-name: "Kentico.Xperience.*"This example uses the Kentico packages prefixes along with a wildcard to exclude any Kentico packages when Dependabot scans the project.
If we were using GitHub, this is the only file you would need, and you would finish the setup by adding in the scheduling interval. However, as I'm using Azure DevOps and the marketplace extension, we'll need to setup a pipeline to schedule it. Let's take a look at an example YAML configuration file I am using for my pipeline!
trigger: none # Disable CI trigger
name: 'Dependabot-$(date:yyyyMMdd)$(rev:.r)'
schedules:
- cron: '0 2 * * 1' # Monday at 2am UTC
always: true # run even when there are no code changes
branches:
include:
- main
batch: true
displayName: Monday
pool:
vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)
steps:
- task: dependabot@1
displayName: 'Run Dependabot'
inputs:
azureDevOpsAccessToken: '$(PAT)'This configuration file schedules the pipeline to run every Monday at 2am UTC, regardless of code changes. It is currently set to run against the main branch, but this could be any branch, maybe a dev or working branch. I also wanted Dependabot to run under a specific access token.
That is it - basically two configuration files, simple! Now you just need to review the code changes and approve the pull request. 👀
You might also be interested in...
How to Easily Extend Xperience by Kentico UI Pages with Page Extenders
13/09/2024UI page extenders in Xperience by Kentico allow you to customise existing UI pages without modifying their source code. In this post, we’ll walk through a simple example of reordering columns in a listing layout to better suit your needs.
Enable Quick Page Editing from Your Xperience by Kentico Website Channels
23/08/2024Simplify content management with this new package for Xperience by Kentico. It adds an "Edit Page" button to your website channels, allowing editors to quickly access the Kentico administration interface and make updates effortlessly. Enhance your workflow and keep your content fresh with ease.
Boost Site Speed Using Image Processing for Xperience by Kentico
05/08/2024Discover how the XperienceCommunity.ImageProcessing package can significantly enhance your website's performance in Xperience by Kentico. This integration allows for resizing images and converting them to modern formats like WebP, resulting in faster page loads and improved user experience.