Today I take great pleasure in announcing that Renovate, the open source dependency update tool, is now part of the Mend family and we will be making all hosted plans and editions of the tool FREE, effective immediately.
At Mend, we endeavor to help you use Open Source freely and fearlessly, so there could be no better fit than a tool whose purpose is to ease the burden of keeping dependencies up-to-date. Together with Renovate’s open source community, we aim to expand its leadership in platform and language support to become a universal DevOps tool.
While vulnerabilities detection and remediation have been top of mind recently, you’re going to make any security issue that much more difficult to handle if your project dependencies are lagging far behind. There’s a huge difference between applying an emergency patch to a production system if it’s a change to two lines of code versus two years’ worth of code.
Modern development teams are looking to take a proactive approach and focus on the prevention of future issues by keeping dependencies consistently up-to-date.
Something else that you may not be aware of is that vulnerability patches are often released before the vulnerability itself is disclosed publicly. That means that if you are an organization that establishes a practice of regularly reviewing and applying automated dependency updates, then there will be times when you patch a vulnerability before it’s even made public. You may not even need to deal with the vulnerability notification, because you’ll no longer be vulnerable by the time it’s publicized.
Vulnerabilities aside, it’s essential to regularly apply bug fixes in dependencies. Considering the large scale of adoption for today’s applications — even bootstrapped startups may reach a million users — the impact of bugs that affect as little as 0.1% of your users can be immense. Few businesses can afford to risk keeping user-affecting bugs in production.
We were mindful of dependency health in Mend early on, and were looking to develop such a solution. When we explored the options it was evident that Renovate was the best solution out there. Its community, flexibility, customization, broad platform support and extensibility made it an obvious choice for a partnership.
Renovate’s founder Rhys Arkins was inspired (not to mention infuriated) to initially develop the tool for his own use after discovering that an authentication bug he’d spent days troubleshooting was already patched more than a month earlier in Google’s Firebase SDK. While you can usually put a dollar figure on days of developer time, it’s not so easy to estimate the cost of a percentage of visitors turning away from your startup website for more than a month. To complete the circle, would you believe that just a couple of years later Google’s developers use Renovate’s hosted service on GitHub to keep the same Firebase JS SDK up to date?
It may seem like a silly question, but there are in fact plenty of developers who are not as fond of bots and automation as we are at Mend. But we think in this case Agent Smith put it best:
In all seriousness, no developer deserves to spend their time looking up dependencies and versions manually when it can be done automatically. Considering that Renovate can be configured to whatever workflow you desire (scheduling, grouping, Pull Requests on-demand, etc), there is an automation approach to suit everyone.
With 4000+ account installations on GitHub alone, the Renovate App has created over a million Pull Requests since its inception, with configurations to suit everyone from solo developers maintaining open source side projects right up to large development teams such as Google’s Angular or Automattic’s WordPress Calypso teams.
Naturally, Renovate the open source project was always free to use according to its OSI license, and will continue to be. Rhys expands on this a little more in his own blog post here.
What is changing post-acquisition is that we are taking the existing commercial offerings — the hosted Renovate app as well as Renovate Pro – and removing all plans/subscriptions, making them FREE!
We will rebrand them under the “Mend Renovate” umbrella so there’s no confusion between the open source Renovate and our Mend services.
The hosted Mend Renovate app on GitHub will no longer require a paid Marketplace plan for private repositories, while Renovate Pro will be renamed Mend Renovate Server and free to use with registration.
In addition, we plan to add Bitbucket Cloud and Azure DevOps support to the Mend Renovate app — also free of course — and we’ll add Bitbucket Server support to the self-hosted Mend Renovate.
I hope you’re now convinced that (a) you can’t tolerate outdated dependencies in your software projects, and (b) your developers’ time is better spent writing features than manually updating dependencies. Renovate is the solution that you need, in order to address both of these issues.
We have big plans for Renovate at Mend. We love its open-first approach and want to help extend that to support every platform and package manager you may use. Renovate has already gone beyond mere programming languages with its support for technologies like Ansible, Terraform, Kubernetes, Helm and CircleCI. Its cross-repo support for GitHub, GitLab, BitBucket, and Azure DevOps makes it not just the best but also the broadest dependency update tool.
For our existing Mend customers, Renovate is a great complement to our Vulnerability and License management solutions. Like a dentist should promote brushing and not just wait to drill, we will be here for you, encouraging a holistic approach to dependency health and freshness, driven by Renovate’s update automation. Jump in and enjoy getting the help of our wonderful customer success and support team for our entire suite.
For Renovate users, we look forward to serving you and hearing from you! Once Renovate becomes an essential workflow tool for you like we hope it will, please inquire with us if you’d like to consider commercial support, or to find out how Renovate works together with our vulnerability management platform to deliver best-in-class dependency safety. We look forward to helping everyone embrace Open Source freely and fearlessly.