Delio Tech: Replacing ‘Patch Tuesdays’ through automated dependency updates

Delio Tech: Replacing ‘Patch Tuesdays’ through automated dependency updates

15th May 2020

‘Patch Tuesday’ has become a widely known term within the IT industry – but not always for positive reasons. Historically, it refers to the day when Microsoft would release new version updates and patches of software. Usually, Developers and Testers alike would have no idea how these external software updates or tech patches could affect their internal applications, which meant that testing their impact was vital.

While Patch Tuesdays provide consistency and can be a convenient way to test external software changes (as teams can allocate a single day to do all testing), they also come with limitations – especially for tech teams that are looking to scale. Testing the patches can take an incredible amount of time as the back-and-forth process of calculating how external changes impact your application and then fixing any potential issues, can be lengthy. This testing can sometimes take so long that by the time a ‘Patch’ is ready to go into production, it would already be out of date – meaning a lot of work and effort had been put into something that was no longer relevant.

We believe this isn’t the best practice for us or our clients

We realised that it was difficult to keep a clear overview of all the external application dependencies since they would take a significant amount of testing before they could be deployed into production. Developers had many other things on their agenda that needed to be prioritised, such as developing and testing new features or responding to clients’ requests. Either way, keeping manually up-to-date with and testing all external software developments wasn’t top of the to-do list. Not only did this cause a backlog, making the whole process ineffective, but more importantly, it led to outdated code – potentially exposing us to known vulnerabilities and bugs.

We needed to find a better solution to check how external changes would impact our technology and, given the recent investment in automating our CI/CD pipeline*, we had the perfect opportunity to automate the dependency management testing process. Automated end-to-end tests would primarily save time; however, as the tests are linked within the pipeline, they would also check for any security issues. Consequently, automation is less tedious from a Tester’s point of view. This means we’re less likely to miss out on testing dependencies (as this is automatic), and can guarantee a safer and more stable platform thanks to keeping dependencies up-to-date.

But how would we do this? We started by enabling Dependabot within our development platform GitHub. The app automatically detects out-of-date dependencies and creates ‘pull requests’ – flagging any snippets of code that need to be changed to avoid it breaking. While this process initially seemed to be an ideal solution, we quickly came across issues. Devs started to fall behind on pull requests again, spending too much time on fixing and testing dependency updates. While Dependabot saved some time, we knew we could do better and decided to change the integration.

Looking for alternative solutions

It made sense for us to continue to use Dependabot’s automation, but we needed a better way to use the tool with our existing branch protection. As suggested by Dependabot, we decided to combine GitHub Actions with the Dependabot’s automatic merge functionality. This new process can be broken down as follow:

The image highlights delio’s new automated dependency updates. Human input is only needed when tests fail or when there is an issue with the build due to the updated dependency.

To place your trust in automation, testing is key

This new process only requires human intervention if CircleCI flags up failed tests or if there’s an issue with the build due to the updated dependency; otherwise, the process is entirely automated. However, as we place a considerable amount of trust in this automation, it was essential to test any changes thoroughly. At Delio, we follow a test-driven development practice, meaning we create tests before we build any code. In doing so, we develop robust tests that can be automated, which leads to more reliable code and fewer errors.

By making the most of automation in this way, we can guarantee that we always have the latest up to date code. As a result, we don’t have any known patched third-party security vulnerabilities, and this entire process is completed without any human intervention, which means our team focuses on what matters most: delivering great features to our products.

An example of the automated conversation between dependabot and github actions - Delio's automated dependancy updates

*CI/CD: Continuous Integration/Continuous Deployment. This pipeline automates the development, testing and deployment of code.