{"id":37021293,"url":"https://github.com/jenkins-x/updatebot","last_synced_at":"2026-01-14T02:30:32.034Z","repository":{"id":57735647,"uuid":"118122741","full_name":"jenkins-x/updatebot","owner":"jenkins-x","description":"a simple bot for updating dependencies in source code and automatically generating Pull Requests in downstream projects","archived":false,"fork":true,"pushed_at":"2021-04-08T11:30:35.000Z","size":811,"stargazers_count":40,"open_issues_count":1,"forks_count":21,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-07-13T11:20:27.549Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"fabric8-updatebot/updatebot","license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jenkins-x.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-01-19T12:28:59.000Z","updated_at":"2023-08-22T19:50:31.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/jenkins-x/updatebot","commit_stats":null,"previous_names":[],"tags_count":75,"template":false,"template_full_name":null,"purl":"pkg:github/jenkins-x/updatebot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkins-x%2Fupdatebot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkins-x%2Fupdatebot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkins-x%2Fupdatebot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkins-x%2Fupdatebot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jenkins-x","download_url":"https://codeload.github.com/jenkins-x/updatebot/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkins-x%2Fupdatebot/sbom","scorecard":{"id":514952,"data":{"date":"2025-08-11","repo":{"name":"github.com/jenkins-x/updatebot","commit":"fbf290f2b56c71cf6a07429971d72e7ad5056ccb"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.5,"checks":[{"name":"Code-Review","score":6,"reason":"Found 10/16 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 25 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"85 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h46c-h94j-95f3","Warn: Project is vulnerable to: GHSA-wf8f-6423-gfxg","Warn: Project is vulnerable to: GHSA-27xj-rqx5-2255","Warn: Project is vulnerable to: GHSA-288c-cq4h-88gq","Warn: Project is vulnerable to: GHSA-4gq5-ch57-c2mg","Warn: Project is vulnerable to: GHSA-4w82-r329-3q67","Warn: Project is vulnerable to: GHSA-57j2-w4cx-62h2","Warn: Project is vulnerable to: GHSA-58pp-9c76-5625","Warn: Project is vulnerable to: GHSA-5949-rw7g-wx7w","Warn: Project is vulnerable to: GHSA-5p34-5m6p-p58g","Warn: Project is vulnerable to: GHSA-5r5r-6hpj-8gg9","Warn: Project is vulnerable to: GHSA-5ww9-j83m-q7qx","Warn: Project is vulnerable to: GHSA-645p-88qh-w398","Warn: Project is vulnerable to: GHSA-6fpp-rgj9-8rwc","Warn: Project is vulnerable to: GHSA-6wqp-v4v6-c87c","Warn: Project is vulnerable to: GHSA-758m-v56v-grj4","Warn: Project is vulnerable to: GHSA-85cw-hj65-qqv9","Warn: Project is vulnerable to: GHSA-89qr-369f-5m5x","Warn: Project is vulnerable to: GHSA-8c4j-34r4-xr8g","Warn: Project is vulnerable to: GHSA-8w26-6f25-cm9x","Warn: Project is vulnerable to: GHSA-95cm-88f5-f2c7","Warn: Project is vulnerable to: GHSA-9gph-22xh-8x98","Warn: Project is vulnerable to: GHSA-9m6f-7xcq-8vf8","Warn: Project is vulnerable to: GHSA-9mxf-g3x6-wv74","Warn: Project is vulnerable to: GHSA-9vvp-fxw6-jcxr","Warn: Project is vulnerable to: GHSA-c265-37vj-cwcc","Warn: Project is vulnerable to: GHSA-c2q3-4qrh-fm48","Warn: Project is vulnerable to: GHSA-c8hm-7hpq-7jhg","Warn: Project is vulnerable to: GHSA-cf6r-3wgc-h863","Warn: Project is vulnerable to: GHSA-cggj-fvv3-cqwv","Warn: Project is vulnerable to: GHSA-cjjf-94ff-43w7","Warn: Project is vulnerable to: GHSA-cmfg-87vq-g5g4","Warn: Project is vulnerable to: GHSA-cvm9-fjm9-3572","Warn: Project is vulnerable to: GHSA-f3j5-rmmp-3fc5","Warn: Project is vulnerable to: GHSA-f9hv-mg5h-xcw9","Warn: Project is vulnerable to: GHSA-f9xh-2qgp-cq57","Warn: Project is vulnerable to: GHSA-fmmc-742q-jg75","Warn: Project is vulnerable to: GHSA-fqwf-pjwf-7vqv","Warn: Project is vulnerable to: GHSA-gjmw-vf9h-g25v","Warn: Project is vulnerable to: GHSA-gwp4-hfv6-p7hw","Warn: Project is vulnerable to: GHSA-gww7-p5w4-wrfv","Warn: Project is vulnerable to: GHSA-h3cw-g4mq-c5x2","Warn: Project is vulnerable to: GHSA-h4rc-386g-6m85","Warn: Project is vulnerable to: GHSA-h592-38cm-4ggp","Warn: Project is vulnerable to: GHSA-h822-r4r5-v8jg","Warn: Project is vulnerable to: GHSA-j823-4qch-3rgm","Warn: Project is vulnerable to: GHSA-jjjh-jjxp-wpff","Warn: Project is vulnerable to: GHSA-m6x4-97wx-4q27","Warn: Project is vulnerable to: GHSA-mc6h-4qgp-37qh","Warn: Project is vulnerable to: GHSA-mph4-vhrx-mv67","Warn: Project is vulnerable to: GHSA-mx7p-6679-8g3q","Warn: Project is vulnerable to: GHSA-mx9v-gmh4-mgqw","Warn: Project is vulnerable to: GHSA-p43x-xfjf-5jhr","Warn: Project is vulnerable to: GHSA-q93h-jc49-78gg","Warn: Project is vulnerable to: GHSA-qjw2-hr98-qgfh","Warn: Project is vulnerable to: GHSA-qmqc-x3r4-6v39","Warn: Project is vulnerable to: GHSA-qr7j-h6gg-jmgc","Warn: Project is vulnerable to: GHSA-r3gr-cxrf-hg25","Warn: Project is vulnerable to: GHSA-r695-7vr9-jgc2","Warn: Project is vulnerable to: GHSA-rf6r-2c4q-2vwg","Warn: Project is vulnerable to: GHSA-rfx6-vp9g-rh7v","Warn: Project is vulnerable to: GHSA-rgv9-q543-rqg4","Warn: Project is vulnerable to: GHSA-rpr3-cw39-3pxh","Warn: Project is vulnerable to: GHSA-v3xw-c963-f5hc","Warn: Project is vulnerable to: GHSA-v585-23hc-c647","Warn: Project is vulnerable to: GHSA-vfqx-33qm-g869","Warn: Project is vulnerable to: GHSA-w3f4-3q6j-rh82","Warn: Project is vulnerable to: GHSA-wh8g-3j2c-rqj5","Warn: Project is vulnerable to: GHSA-x2w5-5m2g-7h5m","Warn: Project is vulnerable to: GHSA-gwrp-pvrq-jmwv","Warn: Project is vulnerable to: GHSA-j288-q9x7-2f5v","Warn: Project is vulnerable to: GHSA-4487-x383-qpph","Warn: Project is vulnerable to: GHSA-f26x-pr96-vw86","Warn: Project is vulnerable to: GHSA-ffvq-7w96-97p7","Warn: Project is vulnerable to: GHSA-g8hw-794c-4j9g","Warn: Project is vulnerable to: GHSA-rcpf-vj53-7h2m","Warn: Project is vulnerable to: GHSA-v596-fwhq-8x48","Warn: Project is vulnerable to: GHSA-3mc7-4q67-w48m","Warn: Project is vulnerable to: GHSA-98wm-3w3q-mw94","Warn: Project is vulnerable to: GHSA-9w3m-gqgf-c4p9","Warn: Project is vulnerable to: GHSA-c4r9-r8fh-9vj2","Warn: Project is vulnerable to: GHSA-hhhw-99gj-p3c3","Warn: Project is vulnerable to: GHSA-mjmj-j48q-9wg2","Warn: Project is vulnerable to: GHSA-rvwf-54qp-4r6v","Warn: Project is vulnerable to: GHSA-w37g-rhq8-7m4j"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T01:34:37.942Z","repository_id":57735647,"created_at":"2025-08-20T01:34:37.942Z","updated_at":"2025-08-20T01:34:37.942Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28408711,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T01:52:23.358Z","status":"online","status_checked_at":"2026-01-14T02:00:06.678Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-14T02:30:31.202Z","updated_at":"2026-01-14T02:30:32.021Z","avatar_url":"https://github.com/jenkins-x.png","language":"Java","funding_links":[],"categories":["Browse The Shelves"],"sub_categories":["Repo automation tools"],"readme":"## UpdateBot\n\nA bot for updating dependencies on your projects automatically\n\n[![Javadocs](http://www.javadoc.io/badge/io.jenkins.updatebot/updatebot-core.svg?color=blue)](http://www.javadoc.io/doc/io.jenkins.updatebot/updatebot-core)\n[![Maven Central](https://maven-badges.herokuapp.com/maven-central/io.jenkins.updatebot/updatebot-core/badge.svg?style=flat-square)](https://maven-badges.herokuapp.com/maven-central/io.jenkins.updatebot/updatebot-core/)\n![Apache 2](http://img.shields.io/badge/license-Apache%202-red.svg)\n\n### Golang rewrite available\n\n**NOTE** if you are interested in a small binary you can use on the command line, in a container image, CI tool or GitHub Action you might like the [jx-upgradebot](https://github.com/jenkins-x-plugins/jx-updatebot) project\n\n### Configuration\n\nUpdateBot takes a simple YAML file to define which git repositories and github organisations to search for repositories to update.\n\nSee [an example UpdateBot YAML file](updatebot-core/src/test/resources/maven/updatebot.yml)\n\n## Using UpdateBot\n\n### Jenkins Pipelines\n\nA good place to use UpdateBot is in your Continuous Delivery pipelines when you've just created a release, tagged the source code and have waited for the artifacts to be in maven central or your nexus/artifactory; then you want to push those new versions into your downstream projects via Pull Requests.\n\nTo do that please use the [UpdateBot Jenkins Plugin](https://wiki.jenkins.io/display/JENKINS/Updatebot+Plugin) or checkout the [UpdateBot Jenkins Plugin documentation](https://github.com/jenkinsci/updatebot-plugin/blob/master/readme.md).\n\nEssentially once you have installed the [UpdateBot Jenkins Plugin](https://wiki.jenkins.io/display/JENKINS/Updatebot+Plugin)  into your Jeknins you just use the `updateBotPush()` step in your pipeline like this:\n\n```groovy\nnode {\n\n    stage('Release') { \n        git 'https://github.com/jstrachan-testing/updatebot-npm-sample.git'\n\n        // TODO do the actual release first...\n        \n        // TODO wait for the release to be in maven central or npm or whatever...\n    }\n\n    stage('UpdateBot') {\n        // now lets update any dependent projects with this new release\n        // using the local file system as the tagged source code with versions\n        updateBotPush()\n    }\n}\n``` \n\n### Command Line\n\nThe updatebot jar file is a fat executable jar so you can use: \n\n    java -jar updatebot-${version}.jar\n  \nBut the jar is also a unix binary so you can just run the following:\n\n    ./updatebot-${version}.jar\n\nTo install on a unix operating system just copy the updatebot-${version).jar to file called `updatebot` on your `PATH`\n\n## Kinds of update\n\nThere are different kinds of updates that UpdateBot can do. Lets walk through the kinds of updates you might want to do...\n\n### Pushing\n\nWhen you release an artifact its good practice to eagerly update all of the projects that use your artifact to use the new version via a Pull Request. Using a Pull Request means that this version change will trigger any Continuous Integration tests to validate the version change which also gives good feedback upstream to your project. It also lets downstream projects review and approve any version change.\n\nTo push versions from a repository just run the `push` command passing in the git clone URL or a local directory that contains a git clone.\n\n    updatebot push --repo https://github.com/foo/bar.git \n    \nYou can specify a particular git commit reference (sha, branch, tag) via `--ref`   \n\n    updatebot push --repo https://github.com/foo/bar.git --ref 1.2.3\n\nThis will then grab the source code for that repository and update its version in the downstream dependent projects.\n\nWhen doing a CD pipeline you will typically have the git repository cloned locally already so you can just point to a local clone:\n    \n    updatebot push --dir /foo/bar\n\nOr specifying the tag as well:\n\n    updatebot push --dir /foo/bar  --tag 1.2.3\n    \n\n#### Pushing other dependency versions\n\nOften projects have other dependencies such as shared libraries or packages. e.g. an npm project may have dependencies on angular packages.  \n\nYou may want to use a single project as your _exemplar_ project so that it defines a set of dependency versions; so that if they change in one repository then updatebot will replicate those changes into other repositories.\n\nTo push other versions from a repository we use the `push` object below, then we include language/framework specific dependency set definitions. In the case of `npm` we can specify lists of includes or excludes dependencies for `dependencies`, `devDependencies` or `peerDependencies`. You can use `*` too for a wildcard to make this YAML more DRY.\n \ne.g. here's an example `updatebot.yml` file that sets up a repo called `ngx-base` as the exemplar project for all of its dependencies:\n\n```yaml\ngithub:\n  organisations:\n  - name: jstrachan-testing\n    repositories:\n    - name: ngx-base\n      push:\n        npm:\n          dependencies:\n            includes:\n            - \"*\"\n          devDependencies:\n            includes:\n            - \"*\"\n    - name: ngx-widgets\n```\n\nThen when we run this command:\n\n    updatebot push --repo https://github.com/jstrachan-testing/ngx-base\n    \nupdatebot will look at all of those matching dependencies in the `ngx-base/package.json` and if they are different to the downstream dependencies it will generate a Pull Request.\n\ne.g. here's an [example generated Pull Request on the ngx-widgets project](https://github.com/jstrachan-testing/ngx-widgets/pull/13)  where it generated a [single commit to update all the changed versions](https://github.com/jstrachan-testing/ngx-widgets/pull/13/commits/a3ade936a21c0f4727bcbad52e6ca227607d86e6)  \n    \n    \n#### Pushing specific versions\n\nSometimes you just want to upgrade a specific version through your projects. To do this use the `push-version` command:\n\n    updatebot push-version -k npm myapp 1.2.3\n    \nThis will then iterate through all the projects defined by the configuration file you give it and generate the necessary code changes to adopt the new version and submit pull requests.    \n\n\n\n### Pulling\n\nWe recommend `pushing` version changes eagerly in your CI / CD pipelines.\n\nHowever projects often depend on lots of dependencies that are released upstream by different teams. So to pull version changes from upstream releases you can use the pull command:\n\n    updatebot push -k npm \n\nThis will then update any dependencies in your projects.\n\n### Requirements\n\nUpdateBot requires the following binaries to be available on your `PATH`\n\n* java\n* git\n\n#### Node\n\nTo be able to pull version changes into your npm packages we use the [ncu](https://www.npmjs.com/package/npm-check-updates) CLI tool. You can install it via [these instructions](https://www.npmjs.com/package/npm-check-updates) or typing\n\n    npm install -g npm-check-updates\n\n\n### Docker\n\nIf you want to use UpdateBot inside a docker image you can reuse the [fabric8/maven-builder](https://hub.docker.com/r/fabric8/maven-builder/) image\n\n\n    \n      \n  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkins-x%2Fupdatebot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjenkins-x%2Fupdatebot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkins-x%2Fupdatebot/lists"}