►
From YouTube: Dependabot for Jenkins Development - Developer Meetup
Description
Jenkins Developer Meetup from January 24, 2020 where Oleg Nenashev highlights the use of Dependabot in the Jenkins project. He describes the challenges of dependency management and the ways that Dependabot simplifies those challenges. He also notes places where Jenkins plugin developers should think carefully before applying a dependency update.
Meetup page: https://www.meetup.com/Jenkins-online-meetup/events/267995271/
Slides: https://drive.google.com/file/d/1YbuiqyP1McNuo-Vc3wjpIBOXE3RUTZ-R/view
B
Hi
everyone-
you
know
thanks
for
coming,
so
just
for
those
who
do
not
know
what
developer
meetups
are
about.
Actually,
there
are
many
selfish
people,
because
we
are
just
starting
it's
our
second
Meetup.
So
the
idea
is
to
have
regular
the
meetups
for
people
who
contribute
to
Jenkins
who
want
to
know
more
about
development
for
Jenkins,
mostly
for
plug-in
development,
and
we
want
to
talk
about
developer
tools,
any
kind
of
best
practices.
So
it's
not
just
about
Jenkins.
B
We
will
be
covering
common
tools
which
other
software
engineers
navels
use
body
is
to
have
informal
discussions,
most
literal
focus
on
Show
and
Tell
and
demos.
So
we
have
some
slide
decks,
but
we
can
deviate
from
them
a
lot
and
you
invite
everybody
to
participate
in
the
discussion
and
we
messed
up
the
slides,
of
course,
and
if
you're
interested
to
speak
at
the
developers
made
it
up.
A
B
A
B
Today,
we
focus
on
dependable,
so
dependable
is
one
of
the
tools
which
allows
to
automate
dependency
management
for
github
repositories
if
you
use
bitbucket
or
the
source
code
systems
that
are
equivalent
balls,
but
yet
today
we
focus
only
on
github
and
only
on
a
single
boat.
There
are
other
solutions
available
if
you're
interested
to
get
these
slides,
they
listening
associate
in
the
zone
chart
and
it's
also
on
the
slide.
So
you
can
just
open
them
in
the
real
time.
B
Unless,
if
permissions
are
fine
and
they
will
focus
on
dependable,
they
will
provide
quick
introduction
and
then
I'll
show
how
we
used
in
Jenkins
and
provide
some
hints
how
to
properly
use
jackets.
That's
the
idea,
if
you
have
any
questions
again,
zoom
shot
mark
will
interrupt
me
if
you
need
it
and
the
results.
A
B
So
yeah,
actually
it's
dependency
hell
because,
whatever
dependency
management
system,
you
use
eventually
you
end
up
in
a
situation
when
you
have
hundreds
of
dependencies
coming
from
different
locations.
You
have
transitive
dependencies
at
some
point.
It's
just
difficult
to
understand,
booting
news
and
you
may
get
the
various
kinds
of
conflicts
and
eventually
your
Linux
system,
we
stopped
working
or
your
Jenkins
plugin,
may
end
up
with
phonetic
conflicts
and
fail
to
start
up
with
intelligent
assistance.
B
Sometimes
so,
obviously
we
want
to
prevent
that
in
Jenkins
we
actually
have
many
kinds
of
dependencies
if
we
talk
about
plug-in
ecosystem
and
Jake
discord.
So
it's
a
common
with
kiss
for
development
jenkins
code
may
include
a
number
of
libraries
which
exposed
to
consumers
as
API,
so
Jenkins
right
now
doesn't
have
association
between
plugins
and
between
libraries.
B
Plugins
depends
on
Jenkins.
Core
plug-in
may
also
depend
on
each
other
and
against
my
deployment
on
libraries.
In
such
cases,
we
have
multiple
plugins
dependent
on
a
single
library,
for
example,
maybe
Jackson
it
may
be
sneakier
mall
or
the
commonly
used
dependencies
which
a
quite
popular
and
plugins
might
require
them,
and
we
also
have
some
cases
where
plugins
and
the
Jenkins
call
depend
on
a
single
library
and
sometimes
plug-in
I
require
high
version.
Then
gently
Scott,
it's
technically
possible,
though
we
want
to
be
touching
to
this
part,
because
it's
not
recommended.
B
Why
did
we
start
working
on
the
dependency
management
in
Jenkins
I
mean
you
may
have
heard
about
javelin
support
project
in
Jenkins
and
one
of
the
things
we
had
to
do.
There
is
touched
a
bit
many
dependencies
because
we
needed
all
libraries
to
be
compatible.
This
Java
when
we
needed
to
update
development
tools
and,
as
you
may
imagine,
when
you
do
bulk
updates
things
start
falling
apart.
B
Sometimes
it's
difficult
to
record
what
happens
and
for
me
the
main
takeaway
from
that
project
was
that
actually
we
should
have
been
doing
dependency
management,
not
when
we
need
something
but
actually
be
readily
during
the
project
of
time.
So
we
would
be
picking
a
recent
dependencies.
Assuming
that
we
have
a
good
theory,
we
would
be
able
to
discover
issues,
but
we
would
be
able
to
provide
recent
versions
to
EPA
consumers
and
to
our
users,
because
libraries
also
could
bug
fixes.
B
Sometimes
ability
include
security
fixes
and
generally
want
to
stay
on
top
of
it
for
in
Jenkins,
the
most
popular
to
change
is
Java
and
medium.
There
was
something
in
switch
use,
Java
and
Loretto,
but
maybe
me
is
the
most
common
tool
and
in
maybe
there
are
plugins
which
allowed
to
actually
display
available,
updates
and
update
them.
So,
for
example,
there
is
a
common
domain
in
command,
but
if
you
just
run
it,
you
would
be
running
it
manager
and
since
we
are
talking
about
automation,
server
project
is
definitely
not
something
you
want
to
do.
B
We
want
to
automate
their
dependencies
and
the
dependencies.
There
are
many
tools,
the
most
popular
ones
dependable,
which
we
are
discussed
today.
The
results
arena
weight,
which
is
more
focused
on
front-end
projects
and
greenkeeper.
All
of
them
are
able
is
github
applications
and
they
integrate
these
changes
with
rustic.
Well,
but
again,
today
our
focus
is
dependable,
dependable
may
be
the
most
compelling
tool
for
because
github
has
equated
they
opened
about
last
spring.
So
now
depend
about
is
the
fact.
B
A
part
of
github
is
available
for
free
for
private
source
repositories,
obviously
for
open
source
as
well,
and
it
gets
a
lot
of
adoption.
You
can
use
dependable
in
two
ways.
One
is
CLI
tool,
so
you
can
just
run
it
externally,
but
what
you
can
actually
use?
It
happens
with
a
publication.
So
it's
a
tool
which
runs
in
South
and
integrates
with
you
with
your
repositories
and
with
commonly
on
github
tools.
So
you
don't
need
to
stop
everything
anything
you
just
click
view
checkboxes
and
get
training,
and
this
is
what
we
use.
B
B
B
There
are
some
updates
for
maybe
like
things
like
a
million-plus
front-end,
even
taking
your
receive
updates
for
test
libraries,
this
plug-in
pump.
It's
a
base
point
for
plug-in
development,
so
the
most
of
that
about
development
tools.
He
if
you
go
to
issue
this
boot
request,
we
can
now
see
that
better,
some
additional
information
provided
so,
for
example,
here.
B
So
what
do
we
have
here?
There
is
a
pull
request.
Again.
It's
submitted
automatically,
and
here
you
can
see
that
there
is
some
change
log.
Well,
this
time
it
wasn't
parsed
correctly,
but
at
least
we
have
a
link
which
points
to
the
front
end
where
you
can
see
the
changes
available
there.
Also
you
can
get
a
list
of
commits
which
you
want
to
enter
this
release
and
the
would
tries
to
do
some
big
data.
B
A
B
It's
something
to
keep
in
mind,
so
let's
try
to
find
something:
okay,
Gmail
in
+,
yep,
80%,
human
check
and
here
by
the
way
it
change,
looks
visualized
properly
in
the
web
interface,
which
helps
to
maintain.
So,
let's
take
a
look
at
this
80%
and
here
basically,
you
can
get
a
reference
to
the
pool
request
which
fails
so
here's
just
one
tool
request.
So
we
can
assume
that
there
were
five
bills
recently,
which
you
know
evolve
this
update,
and
here
we
can
see
why
it
fails.
So
it
fails
on
Travis.
B
A
B
This
would
depend
on
what
basically
does
you
enable
it
for
your
repositories
and
it's
thirst,
sending
cube
requests.
One
could
think
about
a
dependent
would
that
it
actually
supports
many
technologies.
So
it's
not
just
about
the
Java
million,
suppose
greater.
It
was
supports
other
way
introduced
like
JavaScript,
Ruby
goodnight
or
if
you
get
hub
actions
go,
you
can
also
find
package
manager
for
them.
You
can
see
that
some
dip
in
some
more
tools
in
the
beta
state,
so
it
means
that
there
are.
Some
change
is
happening.
B
We
look
if
we
talk
about
this
packaging
and
if
you
have
any
questions
again,
just
ask
I
have
a
few
slides
about
enabling
dependable,
but
again,
let's
just
take
a
look
at
that
in
real
and
before
it
shows,
and
one
of
my
repositories,
which
is
called
a
job
restrictions
plugin.
So
it's
just
a
plugin
for
prevention
of
job
application
when
used,
has
no
permissions
based
on
ownership
or
other
conditions
and
protecting
master.
B
So
here
right
now,
I
do
not
have
dependable
enabled,
and
if
you
go
to
the
plug-in
home,
you
can
see
that
there
are
some
dependencies
defined.
So
we
use
a
plugin
upon
the
depository
I
was
showing
this
version
is
3.8
Ian.
So
it's
almost
30
versions
behind.
We
also
have
dependency
on
Jenkins
core
and
we
have
to
plug
in
dependencies
for
test
purposes.
One
is
Patrick's
project,
another
one
is
metrics
authorization
plug-in.
So
what
we
will
do
here
and
I
just
have
dependable
interface
on
way.
B
Yes,
yeah,
so
I
need
to
enable
dependable
I
will
be
using
source
because
I
don't
want
to
spend
time
and
the
red.
So
if
you
use
dependable
in
your
organization,
just
you
will
meet
read
it
to
your
organization.
I
will
skip
this
step
because
we
already
have
it
injected
what
we
need
to
do.
Next,
we
need
to
add
our
repositories
to
the
repository
to
dependency
checks.
B
So
here
I
just
click
a
button
at
the
repository
you
can
see
a
number
of
repositories
offered
because
at
some
point
dependable
access
was
planted
for
them,
but
there
is
no
job
descriptions
plug-in
because
I
need
to
grant
access.
Why
we
need
to
that
is
because
of
the
admissions
dependable
needs
right
access
to
code
to
issues
and
pull
requests
because
it
needs
to
edit
labels.
It
means
to
submit
requests.
It
also
provides
a
chart
of
separations,
and
here
we
are
going
to
just
add
jobs,
restrictions
plugin.
B
So
if
you
are
plugging
maintainer,
yet
you
will
not
see
all
the
plugins
to
which
you
have
administrative
access
and
if
you
don't
have
any
straight,
if
access
to
your
plug-in,
you
just
need
to
submit
a
Anisha
and
we
will
fix
it
on
the
Jenkins
project
site.
So
I
save
permissions
are
granted
access
to
this
repository
and
then
I
will
just
refresh
this
page.
B
Okay,
and
here
we
have
job
restrictions,
plug-in
I,
edit
it
and
by
default
it
will
be
building
for
Java
million.
For
me
and
that's
what
we
need
to
do
so
here
you
can
see
that
there
is
job
restrictions
and
there
is
a
flag
chicken
now,
so
you
will
need
to
wait
for
a
while,
and
while
we
wait
I'll
just
proceed
with
the
presentation
it
because
I
haven't
tried
it
for
this
repository.
I
cannot
say
what
exactly
we
will
end
up
with
what
waiting.
A
B
That
correctly,
yes,
I
use
dependable
turtlecom,
but
it's
a
good
application.
So
it's
connected
to
github
all
right.
So
but
okay,
great,
thank
you,
yeah,
okay,
so
let's
wait
so
I
just
opened
this
repository
and
you
can
see
that
there
is
already
the
first
political
ending.
So
if
you
enable
it
for
the
big
project,
you
may
actually
receive
dozens.
B
So
the
lease
note,
references
are
already
presented
them
and
actually
it
changed
well
with
the
change
log
automation
story
which
we'll
be
discussing
in
the
previous
developer
meetup,
because
if
you
use
github
releases,
if
you
use
tools
like
release
drafter,
you
can
get
things
you
can
change
log
which
is
automatically
generated
and
you
can
pass
it
through
downstream
dependencies.
So
you
get
additional
benefits
for
using
github
releases
for
such
a
change
locks.
Another
thing
which
is
useful
for
dependability
is
comment
ops.
B
So,
let's
go
to
our
pull
request,
which
was
submitted
somewhere,
okay,
so
here
dependable
it
has
some
front-end,
but
you
can
also
talk
to
it
through
commands
and
there
is
a
number
of
commands
you
can
use
so,
for
example,
I,
if
you
have
some
merge
conflicts,
etc,
you
can
ask
to
rebase
they
change.
You
can
also
say
that
please
ignore
this
version.
B
A
B
Works.
Okay,
so
we
don't.
We
will
talk
about
configurations
code
a
bit
later,
but
you
it's
your
choice
as
a
beginning,
in
my
case,
I
use
the
base
a
lot.
You
can
also
use
dependable
mesh
and
this
is
intelligent
launch,
so
it
will
do
a
mesh
one
in
CIE
passes,
which
is
useful
and
it
combines
with
the
aging
can
say
we
should
build
a
Jenkins
components,
and
yet
there
are
some
other
to
request.
B
Ok,
so
here
we
also
get
a
few
extra
pou
requests
coming
in.
So,
for
example,
this
is
our
plugin
form
and
for
plug-in
pong
or
what
I
wanted
to
show
these
change
logs
again,
this
fully
automatically
generated
by
other
tools,
so
you
can
use
them
and
that
was
to
plug
in
a
bit.
So
we
can
see
that
plug-in
form
is
passed.
A
shy,
so
I
could
just
no
and
we
have
tests
failing
so
here,
matrix
project.
We
try
to
update
plug-in
and
it
failed.
So
why
did
it
fail?
We'll
see.
B
Okay,
it
felt
due
to
require
upper
bounds,
not
surprising
and
we'll
talk
about
it
later
in
the
presentation
so
yeah,
let's
just
move
on
then
so
one
another
feature
which
Marcus
has
already
hinted
is
configuration
is
good
because
indeed
you
can
configure
everything
for
dependent
about
from
web
UI.
But
in
such
case
it's
hard
to
trace
dependencies
is
hurtful
other
contributors
to
understand
what
so
bear,
but
you
can
help
figure
everything
using
settings,
and
here
you
have
an
example.
B
What's
the
take
a
look
at
another
plugin,
also
a
plugin,
so
here
you
can
see
that
there
is
dependable
folder
and
it
will
close
config,
ammo
and
config.
Camo
includes
some
options,
for
example,
here
say
that
I
do
dependency
management
for
million
in
the
root,
so
everything
under
the
route,
including
sub
modules,
will
be
checked
and
check.
You
see
be
clear:
there
are
some
default
reviewers
assigned.
This
issue
was
introduced
before
code
owners
related
to
github,
so
I
would
say
that
right
now
it's
a
rather
obsolete,
but
it's
available.
Oh
wait!
A
sec.
A
B
Because
code
owner
sees
a
new
github
feature
which
allows
to
set
up
for
reviewers
on
the
global
level
based
on
particular
patterns.
So
for
example,
here
we
have
github
team
or
all
strategic
plugin
developers
and
the
distant
abused,
all
incoming
requests.
So
when
you
pour
request
comes
in
it
doesn't
matter
what
the
its
depend
on
both
on
on
temp
and
about
one.
The
team
is
requested,
so
yeah
Fiji's
rather
absolute.
It's
not
something.
I
would
recommend
to
use
right
now
and
there
is
a
lot
of
other
features
available
through
configuration
s
code.
B
Dependable,
has
really
good
documentation,
and
here,
for
example,
it's
not
also
the
communication.
They
also
offer
validation
tool,
which
you
can
use
to
verify
configurations,
but
for
validation.
Let's
see
what
we
have,
so
you
can
stop
schedule.
You
can
stop
target
ranges.
If
you
use
multi
branch,
you
to
visit
aureus,
Ramirez
assignments,
labels
milestones
depending
on
your
tools,
you
can
either
blacklist
updates,
so
it's
ignored,
updates
or
allow
particular
updates.
If
you
want
to
also
focus
the
update,
you
can
setup
Otonashi.
A
So
I've
been
using
milestones
and
one
of
my
projects,
that's
a
github
capability.
This
will
allow
me
to
set
a
default
milestone
that
should
be
assigned
for
poor.
That's
great,
okay.
Thank
you.
You've
shown
me
Auto
merge,
updates,
which
I
need
on
one
of
my
plugins
and
default
milestone,
which
I
need
on
another
one.
B
Thanks,
okay,
yeah
you're
welcome.
So
what
else
we
have?
There
are
some
languages,
and
some
languages
also
have
additional
features.
So,
for
example,
for
JavaScript
you
can
set
up
life
updates
because
they
talk
to
NPM
receiver,
what
hooks
from
there,
so
they
get
dynamic,
updates
no
need
to
stop
daily
or
whatever
same
for
no
good.
B
B
B
It's
not
what
can
you
can
use
it
in
dependable
at
the
moment,
but
hopefully
this
feature
is
coming
soon,
so
that
we
want
to
need
to
duplicate
the
conflicts
and
we
will
be
able
to
do
define
common
templates,
for
example,
for
Janus
plugins,
because
yeah
I'll
talk
about
it
later
that
I
use
cases
we
need
to
cover.
But
right
now
it's
available
on.
A
B
So
dependent
word
has
default
labels,
for
example
with
says
dependencies
label
on
every
pool
request
which
it
sends
and
when
your
update
the
things
what
we
do
in
now
to
link,
we
have
category
dependency
updates,
which
also
includes
dependable.
So,
for
example,
here
you
can
see
that
we
it
when
it
releases
2.13
and
2.14.
If
I
dependable
submitting
requests
configurations
clicking,
update-
and
here
is
our
change
look,
and
there
are
other
bits
here
and
there.
B
If
you
take
a
look
at
another
tool
like
plugin
poem,
you
can
see
that
there
are
even
more
of
these
coming
from
dependable,
because
that
is
just
a
lot
more
dependencies
included
there.
So,
for
example,
here
dependable,
hey,
dependable,
so
here
it
definitely
gets
a
lot
of
contributions
across
the
Jenks
organization.
B
Ok,
another
feature
which
I
won't
be
presenting
but
which
worth
knowing
about
his
security,
because
dependent
would
also
integrates
with
github
security,
its
link,
which
allows
silent
tracking
vulnerabilities,
etc.
Again,
it
was
introduced
last
spring
by
github
and
what
dependable
does
now?
It
submits
a
request
using
security
API.
So
you
do
not
see
it
in
public,
but
you
see
these
changes
as
maintainer
and
you
can
appropriately
handle
them.
B
For
example,
creeper
a
CD
is
to
pay
security
advice
that
it's
like
we
do
in
Jenkins,
so
updates,
which,
with
known
security
field
abilities,
won't
be
displayed
in
common
pull
request
and
we
can
rely
on
it
quite
safely.
It
was
one
of
the
main
concerns
when
we
started
dependable
adoption,
but
it
was
addressed
quite
creaking,
so.
C
B
B
So
now,
maybe
we're
looking
at
something
like
2500
I
should
probably
to
this
slide
and
I
would
say
the
dependent
would
really
say
it's
time
because
yeah,
if
you
created
this
request
manually,
you
just
have
to
spend
a
lot
of
time.
If
you
want
to
prepare
a
proper
tool
request
to
reference
change
logs
to
reference
address
dishes
but
dependable
to
does
it
for
you,
so
I
found
it
really
useful,
though
it
first
burst,
of
the
quest
sometimes
makes
you
try
because
yeah
you
know
one
repository
I've
got
something
like
30
or
40
pull
requests.
B
Sometimes
major
bombs
missed
two
or
three
skipping,
two
or
three
major
versions.
Obviously
she
I
filled
but
yeah.
That's
not
a
point.
The
pointed
that,
in
common,
when
you
figure
out
all
these
updates,
it
becomes
quite
that
reliable
and
you
really
integrate
things
gradually.
So
we
don't
omit
to
spend
too
much
time,
though
there
are
some
pitfalls
to
know
about.
B
If
you
want
to
use
dependable
for
the
plug-in
one
thing
that
you
should
definitely
use
dependable,
to
update
pattern
phone
and
to
update
developer
tools,
so,
for
example,
if
he
is
leaving
plugins
and
other
components,
you
should
be
using
Creed,
because
you
just
stay
on
recent
versions,
bug
fixes
in
the
case
of
plug
in
poem,
or
that
is
a
lot
of
embedded
tools
like
static
analysis,
injected
pairs
and
again
we
update
them
automatically.
So
when
you
keep
your
pardon
more
up-to-date,
you
get
the
receipt
update.
B
Also,
what
you
shouldn't
do
is
to
actually
update
plug-in
dependencies
to
latest
versions,
because
plug-in
dependencies
in
Jenkins
means
completely
different
thing
than
a
in
common,
for
example,
in
maven
projects.
So
if
we
take
a
look,
okay,
let's
go
back
to
drop
restrictions.
Well,
you
always
say:
let's
take
something
else,
the
configuration
spot
so
here,
if
you
go
to
configuration,
is
called
plug-in.
You
can
see
that
it
is
a
lot
of
dependencies.
You
deployed
here,
not
I.
B
B
Let's
take
say,
for
example,
so
rolls
ready
for
you,
so
here
you
have
some
dependencies
declared.
You
can
see
that
there
is
plug-in
dependency
and
here's
another
plug-in
dependency,
and
this
plug-in
dependencies
may
be
in
different
scopes.
So,
for
example,
here
we
have
common
scope
dependency.
It
means
that
I'll
plug
in
the
request,
matrix
authorization
bug
in
the
version
2.2,
and
if
you
like,
dependable
Church
of
the
discussion,
then
dependable
will
push
it
no
problem.
B
What
would
it
mean
that
the
plug-in
village
should
require
a
newer
version
of
this
plug-in
and
it
will
force
all
the
users
of
these
plugins
to
top
date,
which
might
make
sense,
but
you
should
be
careful
with
it
because
yeah
you,
your
plug-in
the
users,
just
a
lose
freedom
to
manage
other
plugins,
and
sometimes
if
there
are
regressions
in
those
two
three
might
set
right.
It's
better,
not
top
it
yeah.
A
B
B
So
our
recommendation
is
to
be
careful
with
updates
of
Jenkins
fashion
and
definitely
not
to
peek
recent
fashion,
for
example,
what
the
practice
I
use
in
my
plugins
is
to
just
stay
behind
total
CSS
for
my
plugins.
If
you
want
to
have
more
insights,
how
versions
input
your
plug-in,
that
is
a
site
called
start
C,
Jenkins
Iowa,
and
here
we
can
see
plug-in
versions
by
Jenkins
version
and,
let's
take,
for
example,
get
plug
in.
Oh.
A
A
B
We've
had
a
Christmas
break,
so
you
can
see
that
many
people
still
didn't
update
to
the
recent
LCS.
We
had
a
new
security
released
announced
for
the
next
week,
so
yeah
I
guess
you
know
one
week
of
the
station
will
change
drastically
but
according
to
plug-in,
starts
on
January
1st.
This
is
the
distribution
we
had
so
the
next
month.
Statistics
will
be
more
aligned.
B
Okay,
anyway,
let's
go
back
to
slide
deck
because
yeah
you
have
some
I
think
so
one
other
thing
to
be
really
careful
of
is
library
updates,
because
library
updates
like
plugins,
but
they
may
conflict
with
changes
quarterly
made
conflict
with
each
other
and
for
what
it
was.
We
also
have
transitive
dependencies
again.
You
should
be
really
covered
careful
about
them,
watching
the
media
now
offers
tools
which
you
can
use
and
these
tools
I
included
in
the
our
standard,
the
on.
B
So
if
you
use
jenkees
playing
in
porn
or
if
you
use
Jenkins
for
libraries,
you
get
this
checks
automatically.
There
is
maven
enforcer
plug-in,
which
applies
require
upper
bounds
through
it
helps
to
prevent
transitive
dependencies.
So
you
have
seen
an
error
I
had
NCI
before
for
job
restrictions.
It
specifically
this
troop.
B
There
are
also
some
additional
rules,
for
example,
extra
enforce
rules
which
enforced
some
bad
code,
compatibility
checks
so
that
you
don't
get
updated
two
versions
which
do
not
support
the
Java
eat
anymore,
for
example,
and
they
make
sure
that
you
cubed
is
to
do
enabled
as
well.
So
the
default
configuration
it's
quite
straightforward.
If
you
don't
use
Jenkins,
you
can
stop
a
million
plug-in
called
maven
enforcer
and
then
the
configuration
we
put
a
rule
like
require
a
power
pounds.
And
after
that
this
rule
gets
applied,
be
some
exclude
and
you
get
they
think
raining.
B
It
helps
us
a
lot
use
dependencies
because,
again,
when
you
bump
one
dependency,
you
may
get
issues
with
transitive
dependencies
and
maybe
an
enforcer
plug-in
will
show
you
a
fork
if
something
is
not
aligned
so
that
you
watch
good
like
on
older
version
that
you're
supposed
to
use,
usually
dependency
requirements,
and
so
that's
what
we
use.
In
addition
to
that,
we
have
some
tools
which
simplify
dependency
management,
because
dependency
management
may
be
overwhelming.
If
you
take
a
look
at
marks,
plugin
how
many
friggin
dependencies
do
have
an
embarrassing.
B
So
it's
a
common
situation
for
all
the
plugins,
it's
even
worse,
because
there
are
more
in
and
try
to
dependences
but
yeah.
We
do
have
a
number
of
dependencies
and
you
can
see
that
market
doesn't
define
so
many
dependencies
here.
Why
is
because
we
use
another
tool,
called
dual
of
materials,
so
in
maven
you
can
declare
dependencies
in
external
repositories
and
here
a
user.
B
B
Okay,
so
it's
him
what
it
includes.
It
includes
a
set
of
plugins.
Actually
quite
a
number
of
plugins
I
just
need
frightened.
Here,
for
example,
we
can
take
150
bass
line,
and
here
you
can
key
I,
try
it
just
okay.
Thank
you,
I,
don't
think
so.
Yeah
you
can
see
that
there
is
a
bunch
of
plugins
here
and
Jesse
uses
tools
like
again
compatibility,
tester
and
also
to
verify
these
dependencies.
B
So
you
can
consume
this
bill
of
materials,
and
you
can
be
more
less
confident
that
this
begins
at
least
didn't
explode
this
each
other,
because
we
use
tools
offered
by
Junkers
project,
which
we
defy
these
dependencies,
and
not
only
this
repository
also
uses
dependable.
So
you
can
see
a
number
of
incoming
requests
which
try
to
update
versions.
Currently,
everything
is
in
red
because
we
have
change
in
configuration
as
cody
is
and
I
guess.
There
are
also
some
infrastructure
instabilities,
but
generally
dependable
is
used
in
order
to
bump
the
dependencies.
B
A
Yeah
pipeline
Jenkins,
the
Jenkins
bomb
the
Jessie
had
created,
made
my
life
dealing
with
work
workflow
with
pipeline
plugin
dependencies.
Much
much
better.
I
reduce
significantly
the
time
required
to
decode,
which
combinations
of
plug-in
versions
were
allowed
to
work,
Thank
You
Jessie.
Thank
you.
Thank
you.
B
Another
set
of
this
I
think
is
Jenkins
corpang,
it's
a
new
feature
which
has
been
added
by
Mike
receiver,
Olli
and
James
North
in
addition
to
Jenkins
versions.
So
it's
available
start
from
LCS,
2.2
or
4
1,
which
was
released
in
December,
but
James
has
also
created,
but
parts
for
previous
versions.
So
basically
it's
a
file
which
includes
information
about
libraries,
included
interchanges
corporations
because,
unfortunately,
we
had
cases
when
the
libraries
we
were
declared
as
conflicting
dependencies.
B
So
sometimes
it
was
leading
to
various
kinds
of
a
binary
conflicts
and
this
file
Alliance
dependencies
which
I
used
inside
the
tank,
is
got.
And
if
you
use
a
recent
like
in
conversions,
you
actually
have
to
enable
BOM
Mongolia.
But
we
are
working
on
a
plug-in
for
doing
0,
which
includes
it
out
of
the
box,
and
here
that
is
a
reference
to
boom
yep.
B
Basically,
if
you
use
photo
0
beta,
you
automatically
get
these
dependencies
as
a
part
of
your
tool
chain
when
you
use
the
plug-in
form
and
you
can
get
rid
of
explicit
version-
definitions
inside
the
plug-in
and
rely
on
plug-in
form
to
provide
it.
So
you
can
be
confident
that
each
time
you
build
a
you
build
this,
the
dependencies
required
for
this
particular
jenga's
corporation
yep.
So
the
recommendation
for
maven
definitely
use
enforcers,
definitely
use
of
materials.
B
B
A
B
Okay,
so
what
else
do
we
use
in
Jenkins?
Now
we
use
docker
and
JavaScript
again
there
are
other
technologies
and
tools
you
can
use
photo
capture.
The
use
case
is
obvious
because
if
you
have
dogged,
you
also
have
also
some
dependences,
for
example,
let's
open
local
file
here
it's
for
Jenkins,
fellow
runner,
and
here
you
can
see
that
but
a
few
dependencies
to
create
here.
So
this
is
multi-stage,
total
build
and
here
use
version
of
maiden
I
also
use
version
of
open
to
the
key
below
and
for
here,
I
use
a
specific
reaction
of
medium.
B
It's
a
right
approach,
so
every
time
maybe
not
did
say
it
will
get
a
pull
request
from
dependable,
but
here
use
a
attack.
This
is
actually
a
better
approach
because,
for
example,
if
a
new
release
of
Java
is
delivered
and
if
there
is
a
security
fix,
then,
if
I
use
such
approach,
I
won't
get
a
pull
request
from
dependable
and
my
might
work
behind.
B
It's
not
the
problem
forging
his
father
on
and
because
it's
in
better,
but
for
the
repositories,
is
something
to
consider
and
here's
an
example
of
maybe
not
need,
because
he,
a
dependable,
was
able
to
discover
million.
It
was
unable
to
cut
change
order
because
dr.
Harper
doesn't
distribute
information
for
official
images
so
for
the
cat
you
can
just
get
the
version,
and
then
you
have
to
figure
out
what's
between
these
versions
but
yeah,
that's
what
we
have
and
the
for
labels.
I
didn't
set
up
filters
and
here
what
is
she
do
in
this
repository?
B
B
Hyperlink
so
here
you
can
see
that
there
is
a
bit
of
million
and
you
can
see.
One
artifact
which
is
I
will
rather
consider
it
as
a
bucket
docker,
but
basically
doctor
tries
to
interpolate
some
versions.
They
use
a
lot
of
mono
checks
for
common
patterns,
but
here
you
can
see
that
it
will
pass
the
diversion
it
determined
that
a
number
on
the
end
is
actually
a
part
of
the
version.
So
he
is
a
bit
from
Java
eat
to
Java
13,
as
you
may
guess.
It
feels
well.
A
Yeah,
that's
okay,
but
that's
a
that's
a
terrifying
proposal,
because
this
is
saying
change
the
job.
That
probably
means
the
Java
version
right
and
the
Java
version
used
to
be
eight
and
they're
proposing
to
go
to
something
that
is,
is
not
a
long
term
support
Java
release
and
is
certainly
not
Java,
8
yep.
B
Goodness
that
you
can
actually
set
up
filters
when
I
was
talking
on
what
to
update
and
what
to
not
update
I
forgot
to
mention
it,
but
since
we
are
here,
what's
written
a
bit,
so
if
you
want
to
set
up
some
rules,
what
table
did
you
can
use
collaboration
file?
So
he
had
configuration
for
you
know
stubbies,
and
here
you
can
see
the
day,
ignore
all
Jenkins
core
dependences.
So
basically
I
don't
have
the
Jenkins
core
I
also
do
not
update
plugins
like
it.
The
standard
packages
so
or
shrink
is
a
plug-in.
B
So
IO
junk
is
plugins.
It's
not
a
syllable
about
it,
because
jenkees
plugins,
maybe
at
least,
is
different
group
IDs,
but
at
least
it
covers
a
majority
of
plugins,
and
if
you
are
plugin
maintainer,
you
can
setup
your
own
filters.
They
it's
not
limited
to
just
these
types.
If
I
go
to
the
dependable
settings,
you
can
see
that
they
use
github
api
as
an
example
much
appreciated.
But
what
you
can
see
here,
you
can
also
set
additional
types,
for
example
personal
requirements.
There
are
also
other
filters.
We
shall
not
mention
here.
B
You
can
ignore
dependency
types.
So
you
can
update
from
the
test
dependency.
Some
gives
common
scope
dependencies,
so
dependable
got
a
lot
of
features
for
me,
an
algorithm
and
count
him
so
yeah
yeah.
You
can
stop
your
own
filtering
if
you
want
to
avoid
cases
like
that,
but
yeah
just
keep
in
mind
that,
obviously
you
shouldn't
and
something
anybody.
B
Okay.
So
for
me
the
main
idea,
the
main
reason
to
have
dr.
auto
updates
is
to
actually
have
Jenkins
agents,
quote
updates,
which
is
a
nightmare
at
the
moment
for
maintainer,
and
you
eventually
get
there,
but
right
now
doc.
It
is
also
under
evaluation
for
Jenkins
project.
Same
for
JavaScript
we
have
several
plugins
and
components
which
use
JavaScript.
B
Nothing
changes
specifically,
so
dependable
can
determine
any
p.m.
it
can
determine
yarn
and
other
standard
packaging
and,
for
example,
I
just
opened
the
plinking
site,
and
here
you
can
see
that
there
is
a
lot
of
updates
coming
for
javascript
and
well
it's
so
the
same
as
for
everything
else
for
javascript.
Actually,
they
have
much
material
Mystics
just
because
there
is
a
lot
more
JavaScript
project
and
I'm,
not
sure
would
statistic,
and
it
just
it
takes
a
while
to
load
this
information
but
yep.
B
Eventually,
it
will
also
show
formation
about
failing
pull
requests,
also
change
locks
and
other
things.
So
you
get
the
same
for
JavaScript
and
basically
for
the
tools.
There
are
some
specific
flowers
facts
available,
but
it
remains
the
same
for
almost
any
technology.
So
the
know
how
there
is
how
to
parse
files,
how
to
submit
patches
and
they
put
dependable
des-
is
pretty
well.
B
The
dependency
check
engine
is
small
as
the
same
okay
in
just
a
few
icons
as
a
summary,
and
then
we
both
have
sometimes
open
e,
so
yeah,
if
you
develop
software,
consider
automating
dependency
management
for
projects.
It
helps
really
well.
It
saves
of
time
in
one
good
term.
We
already
had
few
kisses
when
dependable
helped
us
to
prevent
security
issues,
because
dependable
would
pick
the
releases
long
before
they
advised
that
it
was
published.
And
finally,
I
did
post
welcome
and
yeah
if
you
automate
the
dependencies.
B
So
there
are
tools
for
that
and
today
we
present
independent
board.
But
again
it's
just
one
example
for
two.
You
can
also
write
your
own
tool
if
you
want
for
your
convenience
and
depend
about
this
plugin,
so
you
can
write
plug-ins
for
your
language
and
specifically
for
million,
be
careful
about
the
transitive
dependencies,
because
the
most
of
the
problems
come
from
there.
If
you
don't
use
mainland
enforce
it,
just
don't
use
dependable
and
some
time
in
order
to
add
additional
static,
analysis
checks
and,
of
course,
make
sure
that
you
have
good
integration
setup.
B
So
we
work
on
Jenkins,
so
we
are
supposed
to
have
a
good
chain
and
we
have
a
lot
of
tools
for
plugins
and
if
you
measure
your
test
code
coverage,
then
it's
great,
because
you
can
also
discover
her
potential
gaps
where
dependency
updates
are
not
covered.
So
yeah
for
us
what's
next
is
to
document
how
we
use
the
Panda
bot.
B
So
if
you
could
recommend
that,
if
you
could
provide
configuration
could
be
much
more
meaningful
and
users
objectives,
that's
the
fun.
If
you
want
to
know
more,
that
is
a
lot
of
information,
so
that
is
depend
on
what
website
which
documentation
about
configuration
is
quote
about
using
dependable
about
some
pitfalls.
This
deputation
is
quite
good.
We
can
also
discuss
everything
in
the
coming
India.
The
please
use
a
firm
special
interest
group
for
Oconee.
If
you
want
to
follow
up
after
this
Meetup-
and
there
is
development
mail
increased
way,
we
discussed
a
dependable
tabulation.
B
A
A
And
sladden
add
another
question,
so
he
notes
in
the
chat
that
part
of
his
proposal
for
darker
polling
project
as
part
of
google
Summer
of
Code
was
to
send
pull
request
to
repositories
when
a
base,
image,
update
or
security
patch
had
occurred.
Could
this
be
done
with
dependable,
or
is
it
rather
better
to
be
done
done
with
a
separate
plugin?
What's
what's
the
preference.
B
So
run
of
the
problems
so
dependable
catalyst
on
databases
for
updates-
and
there
is
dependable-
doesn't
use
specific
databases
which
identify
about
security
updates
earlier.
So,
if
you
are
all
comfortable
with
eventual
updates
and
eventual
security,
then
dependable
is
probably
fine,
but,
for
example,
if
your
customer
of
organizations
which
notify
you
about
security
vulnerabilities
which
provide
proactive,
scans
and
other
tools,
then
you
might
want
to
implement
something
on
your
own.
B
Okay,
whether
it's
a
common
use
case
we've
had
that,
but
I'm
not
sure
how
common
it
is
across
the
industry,
and
this
part
still
make
sense.
Also,
if
we
talk
about
JSOC
project,
running
security
scans
has
to
happen
somewhere,
for
example,
the
in
Jenkins.
You
can
use
unsure
and
other
tools,
and
you
can
provide
triple
dependencies
based
on
that
information.
Again,
dependable,
doesn't
provide
you
much
insights
or
why
this
update
is
nutritional.
You,
it
provides
a
metadata
references
to
CVS,
but
you
would
still
need
to
analyze
the
impact
of
this
update
Francie
right.
C
A
So
you
mentioned
you
mentioned
that
there
are
sometimes
security
notices,
so
I
received
a
security
notice
for
a
particular
Jenkins
plug-in
total
of
25
installations.
Tiny
number
of
installations
was
that
coming
from
depend
upon
I
thought
that
was
coming
from
github.
What
can
you
teach
me
about
that?
So.
A
A
B
B
So
dependable
is
mostly
written
in
Ruby,
but
the
code
is
quite
good,
and
one
thing
to
keep
in
mind
is
about
license
because
it's
not
MIT
license.
Basically,
you
can
use
it
for
non-commercial
purpose,
as
you
wish.
So,
for
example,
we
can
take
it
and
run
dependable
test
co-writer
on
Jenkins
infrastructure
if
you
want.
But
if
you
want
to
make
this
a
commercial
feature,
then
yeah
then
do.