Document Intelligence API: Dependency Updates & Dashboard

Stay up-to-date with the latest dependencies and updates for the Document Intelligence API. This dashboard provides an overview of Renovate updates and detected dependencies, ensuring your project remains secure and efficient. Learn more about Dependency Dashboards in the Renovate documentation.

View this repository on the Mend.io Web Portal.

Updates Awaiting Schedule

The following updates are awaiting their scheduled time. To initiate an update immediately, simply click the corresponding checkbox. This allows for controlled and timely management of dependencies.

• [ ] Update log4j2 monorepo to v2.25.2 (org.apache.logging.log4j:log4j-to-slf4j, org.apache.logging.log4j:log4j-api)
• [ ] Update logback monorepo to v1.5.21 (ch.qos.logback:logback-core, ch.qos.logback:logback-classic)
• [ ] Update plugin org.springframework.boot to v3.5.8
• [ ] Update dependency hashicorp/terraform to v1.14.0
• [ ] Update plugin com.github.ben-manes.versions to v0.53.0
• [ ] Update actions/checkout action to v6
• [ ] Update actions/setup-java action to v5
• [ ] Update dependency org.springdoc:springdoc-openapi-starter-webmvc-ui to v3
• [ ] Update github/codeql-action action to v4
• [ ] Update Gradle to v9
• [ ] Update plugin org.sonarqube to v7
• [ ] Update plugin org.springframework.boot to v4

Detected Dependencies

Below is a detailed breakdown of the detected dependencies within the Document Intelligence API. Each section provides insights into different aspects of the project's dependency landscape, from Docker configurations to Gradle plugins. Understanding these dependencies is crucial for maintaining stability, security, and performance.

Docker Compose

Docker Compose simplifies the management of multi-container Docker applications. By defining your application's services, networks, and volumes in a docker-compose.yml file, you can easily spin up your entire application stack with a single command. Regularly reviewing and updating your Docker Compose configuration ensures that your development and deployment environments are consistent and reproducible. This consistency is vital for preventing environment-specific bugs and streamlining the deployment process.

Dockerfile

The Dockerfile is the blueprint for building Docker images. It specifies the base image, application code, dependencies, and runtime configurations. Using a minimal base image like java 21-distroless reduces the attack surface and improves image size and build times. Keeping your Dockerfile updated with the latest base images and security patches is a fundamental security practice. It's important to regularly review your Dockerfile to ensure it adheres to best practices for image construction.

GitHub Actions

GitHub Actions automate your software development workflows directly within your GitHub repository. These workflows can handle various tasks, including CI/CD, code analysis, and deployment. Utilizing actions like actions/checkout, actions/setup-java, and github/codeql-action streamlines common development processes. Regularly updating these actions ensures you benefit from the latest features and security enhancements. The hmcts/workflow-publish-openapi-spec v1 action highlights a custom workflow tailored to publishing OpenAPI specifications, showcasing the extensibility of GitHub Actions.

Gradle

Gradle is a powerful build automation system widely used in Java projects. The build.gradle file lists the project's dependencies, plugins, and build configurations. Key dependencies include org.springframework.boot, which provides the foundation for Spring Boot applications, and org.springdoc:springdoc-openapi-starter-webmvc-ui, used for generating OpenAPI documentation. Plugins like com.github.ben-manes.versions help manage dependency versions, while org.sonarqube integrates with SonarQube for code quality analysis. Keeping these dependencies and plugins up to date is crucial for leveraging the latest features, performance improvements, and security patches. Additionally, dependencies like org.apache.logging.log4j and ch.qos.logback are essential for logging, and their versions should be monitored for potential vulnerabilities.

Gradle Wrapper

The Gradle Wrapper ensures that your project uses a specific version of Gradle, providing consistency across different development environments. The gradle-wrapper.properties file specifies the Gradle version to use. Regularly updating the Gradle Wrapper ensures that your project benefits from the latest Gradle features and improvements. It also prevents compatibility issues that can arise from using different Gradle versions.

Helm Values

Helm is a package manager for Kubernetes, simplifying the deployment and management of applications. The values.yaml file defines the default configuration values for your Helm chart. Reviewing and updating these values ensures that your application is configured correctly for different environments. Consistent configuration management is crucial for smooth deployments and operational stability.

Helm v3

The Chart.yaml file provides metadata about your Helm chart, including its name, version, and dependencies. The java 5.3.0 entry likely refers to a dependency on a Java-based service or component. Monitoring the versions of your Helm chart dependencies is essential for maintaining compatibility and addressing potential vulnerabilities.

Regex

Regular expressions (regex) are used to identify specific patterns in files, allowing for flexible dependency detection. In this case, the regex has identified microsoft/ApplicationInsights-Java 3.7.6 within the Dockerfile. Keeping track of dependencies identified through regex is important, as these might not be captured by traditional dependency management tools. Application Insights is a powerful tool for monitoring the health and performance of your application, and ensuring its Java agent is up-to-date is vital for accurate data collection.

Renovate Config Presets

Renovate configuration presets define the rules and settings for Renovate, a dependency update tool. The .github/renovate.json file configures Renovate's behavior, including update schedules, dependency groupings, and versioning strategies. Properly configuring Renovate is essential for automating dependency updates effectively and ensuring that your project stays current with the latest releases.

Terraform

Terraform is an infrastructure-as-code tool that allows you to define and manage your infrastructure through code. The main.tf file describes your infrastructure resources, such as virtual machines, networks, and databases. Regularly reviewing your Terraform configurations ensures that your infrastructure is provisioned correctly and securely. It also allows you to track changes to your infrastructure over time.

Terraform Version

The .terraform-version file specifies the Terraform version required for your infrastructure project. Using a specific Terraform version ensures consistency and prevents compatibility issues. Keeping your Terraform version up-to-date allows you to leverage the latest features and security enhancements provided by HashiCorp.

• [ ] Check this box to trigger a request for Renovate to run again on this repository

This option allows you to manually trigger a Renovate run, ensuring that your dependencies are checked and updated as needed. This can be useful for addressing urgent security concerns or incorporating new features.

By staying proactive with dependency management and utilizing tools like Renovate, you can ensure your Document Intelligence API remains secure, efficient, and up-to-date. For more information on dependency management best practices, visit OWASP's Dependency Check.