Tracking Dependency versions
Published on January 8th, 2024Tracking the dependency version is critical for ensuring your software is secure and compliant. It can be difficult to track which of your software is using a supported version, and which are using an End of Life version.
With Roadie’s Tech Insights feature, there’s an easier way. In this tutorial, we’re going to:
- Automatically scan Components in the Backstage catalog and record which React version they’re using.
- Visualise the distribution of React versions being used.
- Create a check that can tell us which software is not using the supported version.
As we go through this process, you’ll learn:
- How to create Data Sources, Checks and Scorecards with Tech Insights.
- How to parse files with JSONata in Roadie and extract facts from those files.
- How to detect which repositories contain certain files like the package.json with Tech Insights.
- How to use the “Satisfies semantic version” operator to do comparisons.
Let’s get started.
Record the React version automatically
In order to track the React versions used in the catalog, we are going to create a Data Source In Roadie Tech Insights. It will be setup to run on a scheduled basis and extract the React version specified in the package.json file.
Package.json Data Source
-
Visit Tech Insights, select the Data Sources tab, and press ADD DATA SOURCE.
-
Enter a descriptive Name and Description.
-
Set the Data Provider Type to
Component Repository File
, Location topackage.json
. Select a value for Select Entity to test data source against and press TEST. -
Test results are displayed.
-
Create multiple Facts:
-
Set Parser to
JSON with JSONata syntax
. -
Set the first Fact to:
Field Name Value Fact Name React version JSONata query $exists(resolutions.”@types/react”) ? resolutions.”@types/react” : $exists(dependencies.react) ? dependencies.react : "" Type String -
Press ADD FACT and set the first Fact to:
Field Name Value Fact Name Has React dependency JSONata query $exists(resolutions.”@types/react”) ? $boolean(resolutions.”@types/react”) : $exists(dependencies.react) ? $boolean(dependencies.react) : false Type Boolean
-
-
Press CHECK FACTS.
-
Use the Applies to filter to target this data source at some components which you expect to have React versions. We recommend starting with a highly targeted filter for initial experimentation and iteration. You can widen the filter later to capture more results.
-
Press SAVE.
Visualise the distribution of React versions being used
Data Source comes with a built-in visualisation panel which lets us get an overview of the Dockerfile base image versions being used. When viewing a Data Source, expand the “Facts visualization” section to see it.
This chart tells us:
- 17% of the Components that this Data Source targets are using version
17.0.59
. - 17% are using version
15.4.0
. - 67% of Components do not have a React version at all. This is the Empty Results section.
In the next section, we will create a Check which can show a pass or fail result to app dev teams to tell them if they need to upgrade their React version.
Create a check that shows which software is not using a supported React version
We have a data source telling us what React versions are present in our components, but it also includes non-React components in the results. Let’s omit the non-React components from the results by creating a check.
Create a check
The builtin “Repository Files Data Source” gives us all the file paths of a component’s repository. We can use this to determine which components are using React. We can also now extract the React version from those files.
Let’s write a check to combine both of these properties.
-
Visit Tech Insights, select the Checks tab, and press ADD CHECK.
-
Enter a descriptive Name and Description.
-
Create a compound check:
-
Set Type to
Or
. -
Set the first condition to:
Field Name Value Data Source GitHub repository file list Fact List of files Fact operator Does not contain Value package.json -
Press +ADD CONDITION and set the second condition to:
Field Name Value Data Source Package JSON information Fact React version Fact operator Greater than semantic version Value 16.0.0 -
Press +ADD CONDITION and set the third condition to:
Field Name Value Data Source Package JSON information Fact Has React dependency Fact operator Is False
-
-
Press DRY RUN
-
(Optional) Add a URL to documentation outlining the steps to update the React version in the component.
-
Use the Applies to filter to target this data source at some components which you expect to have React versions. We recommend starting with a highly targeted filter for initial experimentation and iteration. You can widen the filter later to capture more results.
-
Press SAVE.
Check Results
The results of this check tell us who we need to reach out to to ask for a React version upgrade.
- The backstage-demo component passes the check with the version
17.0.59
. - The react-native-sample-app component fails the check with the version
15.4.0
- The other components passes the check due to not having a React dependency.
Since we already know the owners of these components, it’s easy to reach out and ask them to upgrade their React version.