Dependency management

Our overall goal is to update to all dependencies to new versions in a timely manner using a risk-based approach. If a dependency represents a security risk, the risk must be identified and the responsibility for performing suitable mitigation must be assigned. For dependencies that do not represent a security risk, we want to perform dependency updates as part of the normal development workflow.

Permitted external dependencies

We only work with a select subset of external libraries. Adding external libraries needs to be approved by the IT-raad and must be checked for the same criteria as reviews.

Java

The permitted dependencies are defined in the <dependencyManagement> part of the root pom and the jar pom.

Maintaining and updating versions

There are three different levels of version update:

• Latest (we always use latest image, this breaks down if the newest image no longer works with our configuration)
• Automatic update with corresponding MR
• Manual (this requires a written procedure)

External dependency management

We monitor every repository for new versions, we are using primarily dependabot that pushes an MR if an external version is updated.

• Java (jar) : Renovatebot
• NPM library : Renovatebot
• NPM frontend : Renovatebot
• Rust : Renovatebot
• Docker (parent in our deployment images) : Rebuild parent every night
• Other : nginx, servers : Latest

Internal dependency management

Internal service pushes MR with changes, this happens as soon as the dependent-upon library is updated.

Work in progress

• NPM version
• Docker builds
• Rust version