{"id":46329184,"url":"https://github.com/bit-tasks/dependency-update","last_synced_at":"2026-03-04T17:05:38.700Z","repository":{"id":181028931,"uuid":"666079413","full_name":"bit-tasks/dependency-update","owner":"bit-tasks","description":"Bit component updates lookup task for CI/CD","archived":false,"fork":false,"pushed_at":"2026-02-28T02:10:31.000Z","size":737,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-28T08:07:49.506Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bit-tasks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-07-13T16:58:06.000Z","updated_at":"2025-07-21T16:51:36.000Z","dependencies_parsed_at":"2023-12-22T03:20:23.597Z","dependency_job_id":"f8d01458-bbb5-4b2e-bd8e-d4d2d5494262","html_url":"https://github.com/bit-tasks/dependency-update","commit_stats":null,"previous_names":["bit-tasks/dependency-update"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/bit-tasks/dependency-update","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bit-tasks%2Fdependency-update","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bit-tasks%2Fdependency-update/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bit-tasks%2Fdependency-update/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bit-tasks%2Fdependency-update/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bit-tasks","download_url":"https://codeload.github.com/bit-tasks/dependency-update/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bit-tasks%2Fdependency-update/sbom","scorecard":{"id":69933,"data":{"date":"2025-08-11","repo":{"name":"github.com/bit-tasks/dependency-update","commit":"2bc851325e2497b881bb8b1c3e3ee34fe40b4c6d"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.2,"checks":[{"name":"Maintained","score":0,"reason":"1 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: topLevel 'contents' permission set to 'write': .github/workflows/main.yml:8","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update-externals-and-envs.yml:6","Warn: topLevel 'contents' permission set to 'write': .github/workflows/update-pattern.yml:8","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-externals-and-envs.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-externals-and-envs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-externals-and-envs.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-externals-and-envs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-externals-and-envs.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-externals-and-envs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update-pattern.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-pattern.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-pattern.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-pattern.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/update-pattern.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/bit-tasks/dependency-update/update-pattern.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   6 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 2 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"14 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h5c3-5r3r-rr8q","Warn: Project is vulnerable to: GHSA-rmvr-2pp2-xj38","Warn: Project is vulnerable to: GHSA-xx4v-prfh-6cgc","Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j","Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg","Warn: Project is vulnerable to: GHSA-gcx4-mw62-g8wm","Warn: Project is vulnerable to: GHSA-w5p7-h5w8-2hfq","Warn: Project is vulnerable to: GHSA-9crc-q9x8-hgqq","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T03:37:41.361Z","repository_id":181028931,"created_at":"2025-08-15T03:37:41.361Z","updated_at":"2025-08-15T03:37:41.361Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30086527,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T15:40:14.053Z","status":"ssl_error","status_checked_at":"2026-03-04T15:40:13.655Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-03-04T17:05:38.591Z","updated_at":"2026-03-04T17:05:38.669Z","avatar_url":"https://github.com/bit-tasks.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Bit Dependency Update for CI/CD Pipelines\n\nThis task generates a pull request to update dependencies, Bit components, and environments used by the Bit workspace in your Git repository. It streamlines the process of keeping your Bit workspace up to date through scheduled jobs, manual runs, or component release events on the Bit platform.\n\nThis task allows you to modify and update components using Cloud Workspaces and Hope AI on the Bit Platform, while ensuring your repository stays synchronized with these changes.\n\n## Types of dependency updates\n\n1. **External Dependencies**: Updates packages and Bit components that are not maintained in the workspace but are used by the workspace components.\n2. **Workspace Components**: Updates Bit components that are maintained in the workspace, including changes to their source files, dependencies, and configurations.\n3. **Environments (envs)**: Updates reusable development environments used by workspace components.\n\n## Inputs\n\n### `ws-dir`\n\n**Optional** The workspace directory path from the root. Default `\"Dir specified in Init Task or ./\"`.\n\n### `allow`\n\n**Optional** Allow different types of dependency updates. You can select multiple options, seperated by commas. For example: `'external-dependencies, envs'`.\n\n**Default**: `'all'`\n\nOptions:\n\n- `external-dependencies`: Only update the versions of Bit components and packages _installed_ in your workspace. See the `version-update-policy` input to learn how to restrict updates using Semver rules. \n- `workspace-components`: Only update Bit components that are maintained in your workspace (`bit checkout head --all`).\n- `envs`: Only update the version of envs ('reusable development environments') used by Bit components maintained in your workspace.\n- `all`: Allow for updates of all types.\n\n### `version-update-policy`\n\n**Optional** Defines the version update policy (semver, minor, patch). Used in combination with the `allow` input to restrict the version updates of **external dependencies**.\n\n**Default** `''`. No restrictions on version updates. Update to the latest available version.\n\nOptions:\n\n- `semver` - Only update to newer versions that satisfy the semver policy (as it is defined in the `workspace.jsonc`, or other sources).\n- `minor` - Only update to newer minor versions.\n- `patch` - Only update to newer patch versions.\n\n### `branch`\n\n**Optional** Branch to check for dependency updates. Default `main`.\n\n### `package-patterns`\n\n**Optional** A string list of package names or patterns, separated by spaces or commas. For example: `'@babel/runtime,@types/**'`. Patterns should be in glob format. Default: All packages are selected.\n\n### `component-patterns`\n\n**Optional** A string list of component names or patterns, separated by spaces or commas. For example: `'@teambit/**,@my-org/ui/**'`. Patterns should be in glob format. Default: All components are selected.\n\n### `env-patterns`\n\n**Optional** A string list of environment names or patterns, separated by spaces or commas. For example: `'@teambit/envs/**,@bitdev/envs/**'`. Patterns should be in glob format. Default: All environments are selected.\n\n## Example usage\n\n**Note:** Use `bit-task/init@v1` as a prior step in your action before running `bit-tasks/dependency-update@v1`. You also need to [allow GitHub Actions](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests) to create pull requests.\n\n```yaml\nname: Bit Dependency Update\non:\n  schedule:\n    - cron: '0 0 * * *'\n  workflow_dispatch:\npermissions:\n  pull-requests: write\n  contents: write\njobs:\n  check-for-updates:\n    runs-on: ubuntu-latest\n    env:\n      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n      GIT_USER_NAME: ${{ secrets.GIT_USER_NAME }}\n      GIT_USER_EMAIL: ${{ secrets.GIT_USER_EMAIL }}\n      BIT_CLOUD_ACCESS_TOKEN: ${{ secrets.BIT_CLOUD_ACCESS_TOKEN }}\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v3\n      - name: Initialize Bit\n        uses: bit-tasks/init@v1\n        with:\n          ws-dir: '\u003cWORKSPACE_DIR_PATH\u003e'\n      - name: Bit Dependency Update\n        uses: bit-tasks/dependency-update@v1\n          branch: 'main'\n          allow: 'all'\n          version-update-policy: 'semver'\n```\n\n**Note:** To do that, go to your GitHub Organization settings and grant permission. You may also need to allow it at the repository level if it's already disabled.\n\n```\nSettings -\u003e Actions -\u003e General -\u003e Workflow permissions -\u003e Allow GitHub Actions to create and approve pull requests\n```\n\n# Contributor Guide\n\nSteps to create custom tasks in different CI/CD platforms.\n\n## GitHub Actions\n\nGo to the GithHub action task directory and build using NCC compiler. For example;\n\n```\nnpm install\nnpm run build\ngit commit -m \"Update task\"\ngit tag -a -m \"action release\" v1 --force\ngit push --follow-tags\n```\n\nFor more information, refer to [Create a javascript action](https://docs.github.com/en/actions/creating-actions/creating-a-javascript-action)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbit-tasks%2Fdependency-update","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbit-tasks%2Fdependency-update","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbit-tasks%2Fdependency-update/lists"}