Liam Goldfinch

Keeping your Xperience by Kentico project up-to-date using Dependabot

25/01/2024

When building websites or applications, it is vital that you keep your third-party libraries and frameworks up-to-date. Security vulnerabilities are spotted and fixed regularly, so promptly applying updates is often considered a desirable practise for many clients.

There are many tools available such as Dependabot which act as packages scanners. You can use Dependabot to schedule automatic scans of your projects, identify outdated packages, and even raise pull requests for you to quickly apply the changes.

Over the years I have seen many open-source GitHub projects that use dependency scanners, but at NetConstruct we use Azure DevOps which makes using Dependabot slightly more difficult. As Dependabot runs natively in GitHub, you need to install an extension for Azure DevOps.

Let's take a look at how I set this up for my blog site! 👀

The first step is to set up the Dependabot configuration file, which lives in the repository at the location .github/dependabot.yml. GitHub has great documentation on how to configure this YAML file, and is definitely needed to fully understand how to configure it effectively.

version: 2
updates:

  # Maintain dependencies for Kentico Admin project (npm)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web.Admin/Client/"

  # Maintain dependencies for Presentation site (yarn)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web/wwwroot/sitefiles/"

  # Maintain dependencies for NuGet packages for solution
  - package-ecosystem: "nuget"
    directory: "/Goldfinch.Web/"

In my configuration file, I have three separate configuration blocks for three specific directories I want to check dependency updates.

The first block uses the npm ecosystem to check for any front-end dependencies that might need updating in my admin project, which I created previously for adding custom modules to my admin site.

The second block also checks the npm ecosystem for packages that might need updating for my presentation website project.

The final block checks the NuGet ecosystem for any .NET dependencies that might need updating.

However! You may prefer Dependabot doesn't automatically handle Xperience by Kentico package updates. When updating projects with the latest hotfixes or refreshes, it's essential to update the database as well as the packages. In this case, you might want to opt to create the pull request yourself after applying the hotfix manually.

If you have made the conscious decision to do this, you can add ignore rules to your configuration blocks like this:

version: 2
updates:

  # Maintain dependencies for Kentico Admin project (npm)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web.Admin/Client/"
    ignore:
      - dependency-name: "@kentico/*"

  # Maintain dependencies for Presentation site (yarn)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web/wwwroot/sitefiles/"

  # Maintain dependencies for NuGet packages for solution
  - package-ecosystem: "nuget"
    directory: "/Goldfinch.Web/"
    ignore:
      - dependency-name: "Kentico.Xperience.*"

This example uses the Kentico packages prefixes along with a wildcard to exclude any Kentico packages when Dependabot scans the project.

If we were using GitHub, this is the only file you would need, and you would finish the setup by adding in the scheduling interval. However, as I'm using Azure DevOps and the marketplace extension, we'll need to setup a pipeline to schedule it. Let's take a look at an example YAML configuration file I am using for my pipeline!

trigger: none # Disable CI trigger

name: 'Dependabot-$(date:yyyyMMdd)$(rev:.r)'

schedules:
- cron: '0 2 * * 1' # Monday at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - main
  batch: true
  displayName: Monday

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  displayName: 'Run Dependabot'
  inputs:
    azureDevOpsAccessToken: '$(PAT)'

This configuration file schedules the pipeline to run every Monday at 2am UTC, regardless of code changes. It is currently set to run against the main branch, but this could be any branch, maybe a dev or working branch. I also wanted Dependabot to run under a specific access token.

That is it - basically two configuration files, simple! Now you just need to review the code changes and approve the pull request. 👀

An example pull request created by Dependabot
An example pull request created by Dependabot

You might also be interested in...

Setting up Azure Key Vault in Kentico Xperience 13

23/10/2023

Azure Key Vault is useful for securing sensitive data for both Kentico Xperience 13 presentation and administration websites, but how do you implement it? Let's take a look!

Creating a Custom Module in Xperience by Kentico

04/08/2023

Kentico has always excelled at allowing developers to extend the admin site. However, with Xperience by Kentico, there are some notable differences. Let's walk through a step-by-step process for creating custom modules in Xperience by Kentico.

Revolutionising Digital Experience: A Year of Xperience by Kentico and What's Next

11/05/2023

It’s been over a year since Kentico announced their new platform and the much-anticipated launch is nearly with us. In this blog we’re taking a look at some of Xperience by Kentico’s newest features.