Keep your dependencies up-to-date—enable auto upgrades with Snyk

Dan
November 6, 2019 | in Product
| By Dan Mckean-Tinker

We are excited to announce the release of a new way to take action on the deep insights Snyk offers regarding security and project health—auto upgrades.

Where Snyk’s automated fix pull requests (PRs) apply targeted vulnerability fixes to make the smallest possible change, auto upgrades works to keep dependencies up to date, to help ensure overall project health. Even without remediating vulnerabilities, keeping dependencies up to date is hugely valuable. Snyk can now help with this by automatically creating pull requests to update your dependencies. Currently, npm and Maven-central packages are supported through GitHub (cloud and enterprise) and Bitbucket Cloud, with other languages and code management systems to follow.

Keep your dependencies up-to-date and healthy

Staying up to date and secure

This feature is an important addition to Snyk’s security toolset offering the ability to not only fix vulnerabilities but stay on the latest version – often the most secure and most quickly fixed when a vulnerability is found.

A pull request screenshot

Security insights

First and foremost, Snyk aims to increase awareness about vulnerabilities, and this remains a part Auto Upgrades. Every PR lists any vulnerabilities remediated as part of the upgrade, and will not introduce new vulnerabilities.

Limit the flow

While Snyk automatically creates upgrade PRs on your behalf, we also help you limit the potential flood of PRs with a configurable setting that limits the number of open PRs at one time. Once the limit is reached, Snyk won’t open any new upgrade PRs. (But don’t worry – Snyk PRs to fix vulnerabilities aren’t bound by this limit!)

Limit the number of open PRs

Getting started
It’s easy to get started. Simply go to your GitHub integration settings, and enable (or head over to Project settings for more granular flexibility).

Dependency upgrade pull requests (PRs) should start to roll in during the next recurring tests by Snyk (default daily), or read more about it in our Automated Dependency Upgrade documentation.

Applicable projects are set to inherit their settings from the Integration settings once you enable this feature. Additionally, Snyk also gives you more granular flexibility, allowing you to configure settings per project and override the Integration settings.

Enable auto upgrade PRs

What’s next?

We’re constantly working to give you more actionable insights and help you do something with them. With that in mind, we’re working to help ensure dependency health is easily tracked and managed. We’re investigating some pretty cool ideas, such as whether we can recommend alternative packages that meet your needs but that are better maintained, or less vulnerable. Watch this space!

Stay secure!