Installation

How do I install dependaroo?

The Dependaroo Public Beta is available via the Atlassian Marketplace for Bitbucket Cloud customers.

Support for Bitbucket Server, and Bitbucket Data Center is currently in development. If you are using Bitbucket Server, or Bitbucket Data Center, and are interested in finding out more then register for interest here.

Settings

How do I enable/disable my repositories for scanning?

Bitbucket Cloud

Dependaroo Repository Configuration

Navigate to your Bitbucket workspace settings, look for the "Dependaroo" section and select "Repository Configuration".

Server

Dependaroo Repository Configuration

Navigate to your Bitbucket Administration page, and select "Dependaroo" from within your list of Add-ons.

Data Center

Dependaroo Repository Configuration

Navigate to your Bitbucket Administration page, and select "Dependaroo" from within your list of Add-ons.

Configuration

Can I configure how my Repository is scanned?

This is done by adding a configuration file named dependaroo.yml to the root of your repository.

You can configure the following options for each supported build system:

  • Enabled Status: Boolean
  • Included Dependencies: Provided as a list for Maven/Gradle dependencies, or an Object for NPM
    • "group:artifact:version" for Maven/Gradle dependencies
    • {"name": "version"} for NPM dependencies
  • Excluded Dependencies: see Included Dependencies
  • Excluded Directories: List of directories within your project
  • Branch Name Prefix: Specify a prefix for the branch that is created by Dependaroo (defaults to "dependaroo")
  • Pull Request Title Prefix: Specify a prefix for the Pull Request title that is created by Dependaroo (defaults to empty string)

Additionally, there are a couple of options specific to NPM & Maven projects:

Maven

  • Excluded Maven Scopes: List of scopes for which you do not want updates for
  • Custom Public Repositories: List of URLs pointing to your desired custom repositories
  • Disable Maven Central: Boolean used to skip scanning Maven Central repository for updates

NPM

  • Registry: URL pointing to your desired custom registry

Each build system in your dependaroo.yml is keyed on its name, lower-cased, e.g. gradle, maven or npm.

By default - if you have not committed a dependaroo.yml file - these are set to:

gradle:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  branchNamePrefix: "dependaroo"
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false

maven:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  excludeScopes: []
  globalRepositories: []
  globalPluginRepositories: []
  disableMavenCentral: false
  branchNamePrefix: "dependaroo"
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false

npm:
  enabled: true
  maxOpenPullRequests: 5
  excludedDirectories: []
  lockFileRequired: true
  include: {}
  exclude: {}
  registry: https://registry.npmjs.org/
  branchNamePrefix: "dependaroo"
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false

You may omit any of the above values from your dependaroo.yml, anything that isn't included in your configuration will use the default value shown above.

  • For example, if you omit registry from your NPM configuration, Dependaroo will scan "https://registry.npmjs.org/" for updates