deno icon indicating copy to clipboard operation
deno copied to clipboard
verified publisher icon denoland

Dependabot support/integration

Open mfulton26 opened this issue 1 year ago • 4 comments

Many companies rely on GitHub Advanced Security offerings to detect vulnerabilities in codebases. Dependabot is one such tool. Its ability to keep dependencies up to date is nice but from a security perspective its ability to create alerts on vulnerabilities in dependency versions is crucial. It currently supports various packages ecosystems including npm, pnpm, and yarn. It does not yet support deno.

Lack of Dependabot support/integration is a blocker for teams wanting to use deno in organizations that require Dependabot security alerting.

Ideas:

  1. Work with GitHub Advanced Security to help them support deno for security updates (ideally for general version updates and private repositories/registries too but at a minimum for security updates).
  2. Support some npm/pnpm/yarn lock file format. e.g. If deno can generate the package-lock.json file in the same format that npm does then users will be able to use Dependabot today without issues. This should work short term until more tools support deno.lock but it could also work long term as part of Deno's Node compatibility.

mfulton26 avatar Nov 08 '24 12:11 mfulton26

I know that Deno doesn't manage Dependabot, their priorities, etc. but I read Dependabot version updates now support the bun package manager – [GA] - GitHub Changelog and got confused as to why bun support arrived before deno support.

Two ideas:

  1. Invite Deno enthusiasts and users to upvote https://github.com/dependabot/dependabot-core/issues/2417 (e.g. via Discord).
  2. Find someone at GitHub to collaborate with to help make this a reality.

Security tooling support is one of the last things my company needs before Deno can be used on production software.

mfulton26 avatar Feb 13 '25 22:02 mfulton26

Instead of Dependabot, I am currently thinking of adding a deno manager to Renovate. Keep in mind that this is no easy task and is based solely on personal activity with no guarantee that it will achieve.

Renovate and Dependabot have different concepts and behaviors, but what they both have in common is that their implementation requires a large part of reverse engineering. Therefore, the implementation requires deep knowledge of the behaviour of Deno.

Also, Deno has its own dependency management (deno.json or HTTP import) in addition to being compatible with Node.js, so the implementation will be even more complicated than Bun. In addition, Dependabot is implemented in Ruby, so it will be difficult to contribute unless you can read and write Ruby to some extent.

Hajime-san avatar Feb 14 '25 02:02 Hajime-san

I just discovered that Deno is not supported by dependabot. Please help GitHub to make it possible.

Or please provide custom github action to run deno outdated

landsman avatar Feb 17 '25 14:02 landsman

No news?

landsman avatar May 31 '25 11:05 landsman

It would be nice if someone on the Deno team put together a PR to Dependabot to add Deno. They now say they welcome new ecosystem and already added Bun support.

I have to think if a PR was opened for this, it would be merged.

knotbin avatar Sep 25 '25 02:09 knotbin