What do you recommend renovate or snyk?

V

Vadim2021-09-18 21:52:08

Node.js

Vadim, 2021-09-18 21:52:08

I have a task to automatically update packages in node.js and react repositories using CI/CD. Heard about renovate and snyk recently? Do you use them and how easy is it (and is it necessary) to build them into pipelines to automatically update outdated app packages in bitbucket? What are the problems with their use?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vasily Bannikov, 2021-09-18
@vabka

I have a task to automatically update packages in node.js and react repositories using CI/CD.

IMHO, updating packages should not be automatic, and even more so should not be part of CI / CD, because the application is tested on very specific versions of packages, and in general package-lock is not invented for some kind of automation to overwrite it.
Another more or less ok option is a kind of dependabot, which makes a PR with updated packages, which can be accepted if all the tests pass.
So renovate looks like a perfectly normal solution for timely updates.
Snyk, on the other hand, is some kind of full-cycle solution to check dependencies and all that even before accepting a PR.