Intelligent Dependency Management with AI: Dependency updates and code change suggestions (on breaking changes, etc.)

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Release notes

Problem to solve

Dependency lifecycle integrations such as Renovate or Dependabot provide automated updates for package version bumps, security updates, etc. in the form of MRs.

This only covers bumping the version in the dependency package manager file, and does not come with required code changes. Major version updates might break compatibility with APIs or ABIs, that require developers and DevOps engineers to refactor the code after updating the dependencies.

From a personal experience, I really disliked reading changelogs and re-learning the implementation on breaking changes every time we bumped a dependency to a new major version. Sometimes, minor versions also broke the code.

Requirements

1. Dependency management built into GitLab, or by leveraging an integration with Renovate (https://blog.jdriven.com/2022/08/running-renovate-on-gitlab-com/)
2. Consider building a dependency management system powered by AI, and combined with the plans for threat insights in https://about.gitlab.com/direction/govern/threat_insights/dependency_management/ - Remediation.

Intended users

• Sasha (Software Developer)
• Priyanka (Platform Engineer)
• Sidney (Systems Administrator)
• Simone (Software Engineer in Test)
• Allison (Application Ops)
• Ingrid (Infrastructure Operator)
• Amy (Application Security Engineer)
• Isaac (Infrastructure Engineer)
• Alex (Security Operations Engineer)

User experience goal

Proposal

AI could help with understanding

1. How the dependencies and their function imports, variables, etc. are being used (different scopes for each programming language)
2. Analyze the dependency version bump, and verify whether breaking changes would cause trouble

MVC idea: Create an MR that triggers CI/CD pipelines that run code tests. If there are no tests yet, generate them with AI help too. If the tests would fail after bumping the

Without the requirement to run CI/CD or unit tests, the "perfect" AI will understand when a version upgrade breaks function interfaces, renames/removes global variables, etc. - anything the current implementation uses.

3. Based on the analysis what could break, or potentially be refactored (for better performance for example), the AI should create code suggestions in the form of an MR for the teams to review.

Reframed proposal

Auto-remediation / intelligent dependency management with AI knowledge of breaking changes/false positives

1. Reduce noise and only patch necessary updates.
2. Identify breaking changes from ABIs (function parameters changed, etc.)

Why: Updating dependencies can take a while, especially when the implemented functions or APIs are incompatible. Often, current development needs to be halted to fix a pressuring security dependency first, which turns into a full architecture rewrite after further inspect. AI can analyze, assses, warn, and reduce context switching time. Eventually, it can create MRs that also update the code to make the CI/CD pipelines run green/OK.

Further details

Original proposal on Twitter:

I was thinking about a dependabot-like system that will not only bump the versions but will also migrate your codebase to that new version. While this is not possible now and is probably some time off, these chores are something I want AI to help me with.

Permissions and Security

Documentation

Availability & Testing

Available Tier

GitLab Ultimate because large teams and projects, both efficiency and security features.

Feature Usage Metrics

What does success look like, and how can we measure that?

What is the type of buyer?

Larger teams with projects that have many dependencies, either external or internal projects. Managers that want their developers to work efficiently and not waste time on refactoring code on dependency version bumps.

Is this a cross-stage feature?

Dependency management is ~"group::threat insights" (@abellucci) and requires collaboration with groupsource code (assuming that explain this source code AI feature is owned by the group - @derekferguson) and groupai framework (@tlinz)

Not sure about the DRI. Dependency management is a larger scope than sectionsec, it touches all dependencies no matter security scanning.

What is the competitive advantage or differentiation for this feature?

Links / references

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.