Automated reports for library upgrades
Currently all library upgrades in our projects are a manual process. Most of it is due to a fact that there is no central place where you can get a reliable, time efficient information on version change.
With two big projects to handle (omnibus-gitlab and GitLab charts), falling behind on versions and not shipping the same versions across projects could be a source of both security issues and a huge maintenance burden.
To stay ahead of this problem, we should consider finding a way to streamline this process.
Roughly, we could separate this into two problems: Making sure we ship the same versions of libraries across projects, and comparing the current version with latest upstream.
Same versions across projects
We would need to find a way to periodically scan both projects for libraries and versions currently in use and compare whether we ship the same version. Result of this scan can be in a form of a report issue listing all the differences and pinging the team.
Compare current versions
Second step would be to compare the current version of a library with what is available. The problem here will be the "what is available" part as we don't have an index of versions to check. We will need to either build this index or find another way to get the new versions.
Automate upgrade of dependencies, when available
While the Secure Product team works on this feature, we can leverage other tools to make our lives easier and automate the update process.
Dependencies.io has support for analyzing git repo tags, and then replacing the version in a file if a newer tag is found.
We think we could use this for at least 25% of our dependencies in Omnibus.