Installation

How do I install dependaroo?

The Dependaroo Public Beta is available via the Atlassian Marketplace for Bitbucket Cloud customers.

Support for Bitbucket Server, and Bitbucket Data Center is currently in development. If you are using Bitbucket Server, or Bitbucket Data Center, and are interested in finding out more then register for interest here.

Settings

How do I enable/disable my repositories for scanning?

Bitbucket Cloud

Dependaroo Repository Configuration

Navigate to your Bitbucket workspace settings, look for the "Dependaroo" section and select "Repository Settings".

Server

Dependaroo Repository Configuration

Navigate to your Bitbucket Administration page, look for the "Dependaroo" section from within your list of Add-ons and select "Repository Settings".

Data Center

Dependaroo Repository Configuration

Navigate to your Bitbucket Administration page, look for the "Dependaroo" section from within your list of Add-ons and select "Repository Settings".

Configuration

Global Configuration

Inside "Build tool settings" you can set your global configuration for each build system. This configuration will apply to all your repositories (unless you use a dependaroo.yml, which is explained below).

Dependaroo Global Configuration

Can I configure how each Repository is scanned?

This is done by adding a configuration file named dependaroo.yml to the root of your repository. This will override your global configuration setting for that repository. Dependaroo supports 4 build systems: Gradle, Maven, NPM and Yarn.

Here are the defaults for each of the values:

gradle:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false

maven:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false
  excludeScopes: []
  globalRepositories: []
  globalPluginRepositories: []
  disableMavenCentral: false

npm:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false
  registry: https://registry.npmjs.org/

yarn:
  enabled: true
  maxOpenPullRequests: 5
  include: []
  exclude: []
  excludedDirectories: []
  pullRequestTitlePrefix: ""
  vulnerabilityScannerEnabled: false
  registry: https://registry.yarnpkg.com/
                

If you omit any of the values from your dependaroo.yml, or if you do not add a dependaroo.yml file at all, each configuration value is defaulted to your global configuration, or if the value is not set in your global configuration, to the default value shown above.


Gradle

Option Type Info
enabled Boolean Setting the enabled status on the build system
maxOpenPullRequests Number Max number of open dependaroo pull requests at one time for this build system
include String[] Provided as a list where the entries are formatted: "group:artifact:version" If populated these will be the only dependencies checked for updates
exclude String[] Provided as a list where the entries are formatted: "group:artifact:version" If populated these dependencies will not be checked for updates
excludedDirectories String[] List of directories within your project that you wish to exclude from the scan
pullRequestTitlePrefix String Specify a prefix for the Pull Request title that is created by Dependaroo (defaults to empty string)
vulnerabilityScannerEnabled Boolean Enables call to Github Advisory Database for security vulnerabilities resolved/unresolved in your update

Maven

Option Type Info
enabled Boolean Setting the enabled status on the build system
maxOpenPullRequests Number Max number of open dependaroo pull requests at one time for this build system
include String[] Provided as a list where the entries are formatted: "group:artifact:version" If populated these will be the only dependencies checked for updates
exclude String[] Provided as a list where the entries are formatted: "group:artifact:version" If populated these dependencies will not be checked for updates
excludedDirectories String[] List of directories within your project that you wish to exclude from the scan
pullRequestTitlePrefix String Specify a prefix for the Pull Request title that is created by Dependaroo (defaults to empty string)
vulnerabilityScannerEnabled Boolean Enables call to Github Advisory Database for security vulnerabilities resolved/unresolved in your update
excludeScopes String[] List of scopes for which you do not want updates for
globalRepositories String[] List of URLs pointing to your desired custom repositories
globalPluginRepositories String[] List of URLs pointing to your desired custom plugin repositories
disableMavenCentral Boolean Used to skip scanning Maven Central repository for updates

NPM

Option Type Info
enabled Boolean Setting the enabled status on the build system
maxOpenPullRequests Number Max number of open dependaroo pull requests at one time for this build system
include String[] Provided as a list where the entries are formatted: "name:version" If populated these will be the only dependencies checked for updates
exclude String[] Provided as a list where the entries are formatted: "name:version" If populated these dependencies will not be checked for updates
excludedDirectories String[] List of directories within your project that you wish to exclude from the scan
pullRequestTitlePrefix String Specify a prefix for the Pull Request title that is created by Dependaroo (defaults to empty string)
vulnerabilityScannerEnabled Boolean Enables call to Github Advisory Database for security vulnerabilities resolved/unresolved in your update
registry String URL pointing to your desired custom registry (defaults to https://registry.npmjs.org/)

Yarn

Option Type Info
enabled Boolean Setting the enabled status on the build system
maxOpenPullRequests Number Max number of open dependaroo pull requests at one time for this build system
include String[] Provided as a list where the entries are formatted: "name:version" If populated these will be the only dependencies checked for updates
exclude String[] Provided as a list where the entries are formatted: "name:version" If populated these dependencies will not be checked for updates
excludedDirectories String[] List of directories within your project that you wish to exclude from the scan
pullRequestTitlePrefix String Specify a prefix for the Pull Request title that is created by Dependaroo (defaults to empty string)
vulnerabilityScannerEnabled Boolean Enables call to Github Advisory Database for security vulnerabilities resolved/unresolved in your update
registry String URL pointing to your desired custom registry (defaults to https://registry.yarnpkg.com/)

Each build system in your dependaroo.yml is keyed on its name, lower-cased, e.g. gradle, maven, npm or yarn.