WhiteSource has acquired Renovate, a provider of an open source automated dependency update platform that the company plans to make available for free.
Rhys Arkins, co-founder of Renovate who is now director of product for WhiteSource, said that as software projects become more complicated, there’s an increased need for a mechanism to identify and track dependencies and automatically update them as changes and updates are made.
That requirement is becoming especially acute with the rise of microservices-based applications, which substantially increase the number of dependencies that exist within and between applications, added Arkins. Microservices make it possible for DevOps teams to build and deploy applications faster, but the dependencies between the microservices often result in an application environment that becomes too complex to manage. Most recently, Renovate added support for Helm Charts used to package applications in Kubernetes environments, on which many microservices are now being deployed.
In addition, WhiteSource plans to add support for Cocoapods, a dependency manager for Swift and Objective-C Cocoa projects.
Prior to the acquisition, WhiteSource was reselling the Renovate platform, which has more than 150 contributors. Now that WhiteSource owns the Renovate platform, including a hosted GitHub application and self-hosted GitHub and GitLab applications, the company has decided to make it available for free under the WhiteSource Renovate brand name.
In the future, The WhiteSource Renovate app will add support for Bitbucket Cloud and Azure DevOps, thereby expanding the sources of dependency data that can be employed to make updates less risky and time-consuming, said Arkins. In effect, WhiteSource wants its automated dependency platform to become a natural extension of any continuous integration/continuous delivery (CI/CD) platform, he added.
Arkins said that when it comes to managing dependencies, the biggest challenge is getting developers to identify them. In the absence of a platform for managing that process, developers will either not declare dependencies at all or, more commonly, not provide the right version number for a specific release of software on which their application is dependent. The more automated that process becomes, the less likely it is DevOps teams will find applications breaking because of a dependency that they were unaware of or lost track of at some point during the project.
With the rise of DevOps, many organizations are now employing a more structured approach to dependencies. However, Arkins noted, many organizations are unaware that an open source platform is available that automatically updates all dependencies.
WhiteSource is best known for helping organizations discover vulnerabilities in open source code. With the acquisition of Renovate, the company is furthering its ambitions to become a provider of software composition analysis tools.
It remains to be seen just how many organizations will incorporate an automated dependency update platform into their DevOps processes. While many organizations have embraced DevOps, the level of maturity in terms of DevOps sophistication is uneven. The more software projects an organization launches, however, the more likely it becomes apparent there is a need for a better way to manage software dependencies.