Keeping your Xperience by Kentico project up-to-date using Dependabot

25/01/2024

When building websites or applications, it is vital that you keep your third-party libraries and frameworks up-to-date. Security vulnerabilities are spotted and fixed regularly, so promptly applying updates is often considered a desirable practise for many clients.

There are many tools available such as Dependabot which act as packages scanners. You can use Dependabot to schedule automatic scans of your projects, identify outdated packages, and even raise pull requests for you to quickly apply the changes.

Over the years I have seen many open-source GitHub projects that use dependency scanners, but at IDHL we use Azure DevOps which makes using Dependabot slightly more difficult. As Dependabot runs natively in GitHub, you need to install an extension for Azure DevOps.

Let's take a look at how I set this up for my blog site! 👀

The first step is to set up the Dependabot configuration file, which lives in the repository at the location .github/dependabot.yml. GitHub has great documentation on how to configure this YAML file, and is definitely needed to fully understand how to configure it effectively.

version: 2
updates:

  # Maintain dependencies for Kentico Admin project (npm)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web.Admin/Client/"

  # Maintain dependencies for Presentation site (yarn)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web/wwwroot/sitefiles/"

  # Maintain dependencies for NuGet packages for solution
  - package-ecosystem: "nuget"
    directory: "/Goldfinch.Web/"

In my configuration file, I have three separate configuration blocks for three specific directories I want to check dependency updates.

The first block uses the npm ecosystem to check for any front-end dependencies that might need updating in my admin project, which I created previously for adding custom modules to my admin site.

The second block also checks the npm ecosystem for packages that might need updating for my presentation website project.

The final block checks the NuGet ecosystem for any .NET dependencies that might need updating.

However! You may prefer Dependabot doesn't automatically handle Xperience by Kentico package updates. When updating projects with the latest hotfixes or refreshes, it's essential to update the database as well as the packages. In this case, you might want to opt to create the pull request yourself after applying the hotfix manually.

If you have made the conscious decision to do this, you can add ignore rules to your configuration blocks like this:

version: 2
updates:

  # Maintain dependencies for Kentico Admin project (npm)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web.Admin/Client/"
    ignore:
      - dependency-name: "@kentico/*"

  # Maintain dependencies for Presentation site (yarn)
  - package-ecosystem: "npm"
    directory: "/Goldfinch.Web/wwwroot/sitefiles/"

  # Maintain dependencies for NuGet packages for solution
  - package-ecosystem: "nuget"
    directory: "/Goldfinch.Web/"
    ignore:
      - dependency-name: "Kentico.Xperience.*"

This example uses the Kentico packages prefixes along with a wildcard to exclude any Kentico packages when Dependabot scans the project.

If we were using GitHub, this is the only file you would need, and you would finish the setup by adding in the scheduling interval. However, as I'm using Azure DevOps and the marketplace extension, we'll need to setup a pipeline to schedule it. Let's take a look at an example YAML configuration file I am using for my pipeline!

trigger: none # Disable CI trigger

name: 'Dependabot-$(date:yyyyMMdd)$(rev:.r)'

schedules:
- cron: '0 2 * * 1' # Monday at 2am UTC
  always: true # run even when there are no code changes
  branches:
    include:
      - main
  batch: true
  displayName: Monday

pool:
  vmImage: 'ubuntu-latest' # requires macos or ubuntu (windows is not supported)

steps:
- task: dependabot@1
  displayName: 'Run Dependabot'
  inputs:
    azureDevOpsAccessToken: '$(PAT)'

This configuration file schedules the pipeline to run every Monday at 2am UTC, regardless of code changes. It is currently set to run against the main branch, but this could be any branch, maybe a dev or working branch. I also wanted Dependabot to run under a specific access token.

That is it - basically two configuration files, simple! Now you just need to review the code changes and approve the pull request. 👀

An example pull request created by Dependabot