We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityOpen SourceVulnerabilities

Snyk partners with the makers of Greenkeeper to help developers proactively maintain dependency health

Dan
Daniel Berman, Dan MckeanMarch 5, 2020

We’re pleased to announce the graduation of Automatic Dependency Upgrades, a Snyk Open Source capability that helps developers proactively reduce security vulnerabilities and maintain dependency health when using open source software. Automatic Dependency Upgrades is the result of an exciting new partnership between Snyk and Neighbourhoodie Software, who are the makers of Greenkeeper and developer tooling innovators. 

The Greenkeeper team has been in the business of helping developers keep their software up-to-date and healthy since 2015 and was among the pioneers in this space. Joining forces with another dev-friendly team was a natural choice for us and we’re proud to see the final result of this partnership now made available for both Snyk and Greenkeeper users.

The (growing) challenge of open source dependencies

Developers pull vast amounts of open source dependencies into their code, both direct and indirect. A lot of these dependencies include security vulnerabilities, and being able to apply fixes greatly depends on how up-to-date these dependencies are; the further behind your version is, the harder it gets to upgrade. 

Staying on top of vulnerable and out-of-date dependencies is critical for keeping applications both secure and healthy. It’s also virtually impossible for even the most skilled team of developers without automation in place. Manually reviewing dependencies across projects and upgrading them when necessary is a daunting task, to say the least. 

With Automatic Dependency Upgrades, Snyk Open Source continuously monitors any integrated project and automatically triggers actionable, context-rich pull requests when new versions for dependencies are identified. Full control over pace and scope ensures developers aren’t overwhelmed with too many upgrades. Leveraging Snyk’s comprehensive and always up-to-date vulnerability database, Automatic Dependency Upgrades also ensures that recommended versions never introduce new vulnerabilities. 

Dev-friendly upgrade workflows

At Snyk, our goal has always been to provide developers with tools that fit into their existing workflows instead of creating new ones. Automatic Dependency Upgrades is no exception to this rule, integrating natively into code repositories and triggering automatic dependency upgrades just like any other pull request. 

As with any pull request, dependency upgrade pull requests can be reviewed and verified before merging to ensure there is no risk of breakage. In the same spirit, Snyk won’t trigger an upgrade pull request for a dependency version less than 21 days old, as our research has shown that this can help avoid illegitimate versions, in the case that the maintainers account is compromised and a deliberately malicious version released.

Make data-informed upgrade decisions

Unlike other automated solutions that simply push updates on new versions, Snyk provides contextual and actionable information to help developers make more informed upgrade decisions. This becomes extremely important in projects including a large number of outdated dependencies and helps prioritize what to upgrade.

Snyk’s automated upgrade pull requests include details on the maturity of the suggested upgrade and dependency release notes. Details on security vulnerabilities that the upgrade remediates are also provided, including their severity level and whether there are any known exploits for the specific vulnerability.

Control the pace of upgrades

While it’s crucial for the overall health of projects that dependencies are up-to-date, sifting through pull requests for every new version of every dependency can be a daunting and time-consuming task. We wanted to make sure developers are not overwhelmed by too much noise and therefore added control over the pace and scope for upgrade pull requests.

Since major version upgrades tend to be riskier, the default settings in Snyk trigger upgrade pull requests for minor version upgrades or patches only. Users can change this behavior and ask Snyk to trigger upgrade pull requests for major version upgrades as well – one of the things Neighbourhoodie helped us implement as part of our partnership.  

Snyk allows you to limit the number of upgrade pull requests open at any given time and also specify any specific dependencies you wish to be ignored. 

So…how do I get started?

Automatic Dependency Upgrades is available in all Snyk Open Source plans – Free, Standard, Pro and Enterprise. To start using this feature, simply sign up with Snyk, integrate your projects, and wait for an incoming pull request with recommended upgrades for your dependencies! 

Automatic Dependency Upgrades is currently supported in npm, Maven-Central and Yarn projects on GitHub/GitHub Enterprise and Bitbucket Cloud. Additional project types will be supported soon so stay tuned for news.

For more information on this feature and Snyk Open Source, check out:

  • Docs
  • Snyk Open Source

Happy upgrading! 

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom