Renovate integration with Dependabot security alerts for transitive dependency upgrades

[dge808]

Tell us more.

I’d like to open a discussion related to an increase in security issues in transitive dependencies of node modules. While Renovate does an excellent job of keeping direct dependencies up to date, it currently cannot update transitive dependencies unless the top-level dependency itself is updated. I understand this is an expected behaviour at the moment, but as a result, vulnerabilities in indirect dependencies often remain unresolved, especially when upstream packages are slow to release new versions.

I am wondering if the current behaviour can be extended to work together with Dependabot security alerts and open PRs that update dependencies to non-vulnerable versions, creating overrides if necessary? I expect this to target only those dependencies flagged by security alerts.

I’ve discussed this idea with @secustor, and we thought it might be worth opening it up to the community for consideration and feedback. Also, I would be happy to contribute to this topic.

[romanserazhiev]

I think it's a great idea! But isn't renove already doing this on its own? Doesn't Renovate create PRs to bump packages even without security issues.

[jamietanna]

Renovate is currently doing this for direct dependencies, but not transitive dependencies, which is the key thing we'd be adding here

[jamietanna]

I'll be on holiday next week, but hope to get a more full response when I'm back - to use terminology from the Go ecosystem, this is a "likely accept", with some caveats (which I'll share more in the future)

[kyle-bookbub]

This would be a great feature. We are evaluating Renovate as a replacement for Dependabot, but this is a missing feature that makes it tough to recommend. Dependabot is also struggling with pnpm transitive dependencies, so if Renovate could handle that we'd be more enthusiastic adopters.