Bulletproof Your Project: Automate NPM Package Security Fixes with Recurring CI Tasks!

Introduction

Nothing is more annoying than having a project that has outdated dependencies. If you are not using tools like Dependabot or Mend(Renovate) the process of updating dependencies can be a tedious and error-prone task. This is especially true if you have a project which has a large number of dependencies.

https://github.com/dependabot

https://www.mend.io/renovate/

Outdated dependencies are a security risk and could cause bugs or performance impacts. So it is important to keep them up to date. But how can we do this in a safe and efficient way?

In this short blog post, I will show you how an easy way to update your dependencies using only the command line and npm.

Preferred Way (as GitHub user)

I always recommend using dependabot or Mend(Renovate) to check for outdated dependencies and create pull requests for you. This is the most convenient way to keep your project up to date without any manual work on your side. Both tools are free and support a huge variety of package systems and languages.

Alternative Way (without GitHub)

If you don't use GitHub, or can't use one of the tools mentioned above, you can use the following approach to update your dependencies.

NPM ships with a command called npm outdated. This command will list all outdated dependencies of your project.

npm outdated
Package              Current   Wanted   Latest  Location                         Depended by
@pulumi/pulumi        3.50.0   3.50.0   3.65.1  node_modules/@pulumi/pulumi      purrl-ts
@pulumiverse/purrl     0.3.1    0.3.1    0.4.0  node_modules/@pulumiverse/purrl  purrl-ts
@types/node         18.11.17  18.16.2  18.16.2  node_modules/@types/node         purrl-ts

As you can see, the command lists all outdated dependencies. The Current column shows the version of the dependency you are currently using. The Wanted column shows the version you want to use according to your semver rules. The Latest column shows the latest version of the dependency available in the registry.

Now you can use the npm update command to update your dependencies.

npm update (-S)

This command will update all dependencies to the latest version according to your semver rules and will always use the Wanted version.

Reference Implementation in Azure DevOps and MS Teams

Let's take a look at how we can use this approach in Azure DevOps Pipelines and connect it to MS Teams to get a little ChatOps feeling.

First of all, you need to create a webhook in MS Teams. You can find a detailed description of how to do this in the official Microsoft documentation.

Next, you create a new pipeline in Azure DevOps. I will use a simple pipeline with a single stage and a single job for the sake of simplicity.

trigger:
  - main

schedules:
  - cron: '0 14 * * *'
    branches:
      include:
        - main

parameters:
  - name: webhookUrl

pool:
  vmImage: ubuntu-latest

steps:
  - task: NodeTool@0
    inputs:
      versionSource: 'spec'
      versionSpec: '18.x'
    displayName: '🧑‍🔧 Install Node.js'

  - script: |
      npm install
      npm outdated
    displayName: '🔎 Check for outdated dependencies'
    workingDirectory: 'examples/purrl-ts'

  - bash: |
      curl -v -X POST ${{ parameters.webhookUrl }} \
        -H 'Content-Type: application/json; charset=utf-8' \
        --data-binary @- << EOF
        {
          "type":"message",
          "attachments":[
            {
              "contentType":"application/vnd.microsoft.card.adaptive",
              "contentUrl":null,
              "content":{
                "$schema":"http://adaptivecards.io/schemas/adaptive-card.json",
                "type":"AdaptiveCard",
                "version":"1.2",
                "body":[
                  {
                    "type": "TextBlock",
                    "wrap": true,
                    "text": "NPN detected outdated packages at $(Build.Repository.Name) in the $(Build.SourceBranchName), more details can be found in the build log. \r\r $(Build.Repository.Uri)"
                  }
                ]
              }
            }
          ]
        }
      EOF      
    displayName: '🛫Invoke webhook'
    condition: failed()

The pipeline is triggered on a schedule every day at 2pm. When the npm outdated command detects outdated dependencies the pipeline will fail. In this case the Invoke webhook task will be executed and send a message to MS Teams.

Conclusion

Keeping your project's dependencies up to date is essential for maintaining security, fixing bugs, and improving performance. Tools like Dependabot and Mend(Renovate) can help automate the process, making it convenient and effortless. However, if you don't use GitHub or can't use these tools, you can still manage your dependencies efficiently using the command line and NPM with commands like npm outdated and npm update.

By adopting these practices, you can ensure that your project stays current, secure, and performs at its best while minimizing the manual work involved in dependency management.