On this page, we have colleced and answered the most popular questions and hints regarding the usage of Codario.

How often will Codario check for updates of my project dependencies?

Codario checks for new updates automatically at most once per hour depending on the active usage of the project.

Do you provide only updates for vulnerable packages?

No, we provide all available updates that can be applied to your project by respecting the given restrictions.

However, you can configure projects on Codario to get only updates for vulnerable packages.

How do you get notice of updates and vulnerabilities?

We analyze public sources for every "package dependency manager" (for example, www.npmjs.com/advisories for npm).

When will an update task be created?

Whenever one or multiple updates of a project are available.

Please pay attention that Codario always respects restrictions from your manifest file (for example, composer.json for composer, package.json for npm).

For example: if you are using restriction ~1.2.3 for a composer package, Codario would suggest the update to version 1.2.34 and but not to version 1.3.0, because your restriction disallows to use versions >=1.3.0.

Why are some vulnerable packages not added to update tasks?

Codario always respects restrictions from your manifest file (for example, composer.json for composer, package.json for npm). Hence, the most likely reason why a vulnerable package is not included in an update task is that some restrictions of your packages do not allow that update.

Other possible reasons:

  • A project created with "empty" configs: In this case, update tasks will only be created once you have provided configs for the project.
  • A package is ignored for updates (the switch "ignore for tasks" nearby the package name is enabled).
  • A package was included in an update task, but you marked it as "ignored" in that task: In this case, updates up to that release will be skipped.

This accounts both for regular updates and updates remedying vulnerabilities.

How does the "update policy" for packages work?

As mentioned above Codario always respects restrictions from your manifest file. It is possible to extra customize which packages should be included (excluded) to the update tasks. Every package has an update policy, this property can be: allow or ignore.

  • The packages with "ignore for tasks" disabled and all child dependencies of them will be included in the update tasks.
  • The packages with "ignore for tasks" enabled will be excluded from the update tasks. Pay attention sometimes those packages can be included in the update tasks when they are child dependencies of other packages.

How to detect vulnerable packages which can't be updated automatically?

A project contains those package has "skull" icon (on "projects list" page):

Such a package has "skull" icon as well (on "project overview" page):

Why is my task going to "New updates available" state again?

Codario provides a group of updates (for several packages together in an update task). If a project has a task in a state not equal to "Test Passed" or "Closed", and some new updates for packages are available then Codario will add these releases to that task and will change state for that task to "New updates available" again.

This approach allows minimizing the complexity of applying updates and works with all updates together until they are merged.

How does exactly "contains_vulnerable_packages" mode work?

If a project has "create_tasks_for" property equal to "contains_vulnerable_packages", then that project will create tasks only for vulnerable packages, sub-packages of these packages, and packages required by these packages.

During the update process, Codario will try to update only the vulnerable packages and if something goes wrong, then it will update all packages included to an update task.

Why should I close the finished tasks?

"Closed" task means that you finished work with contained updates and this task does not require attention anymore. The closed task is hidden by default and not included in "badge" under "Tasks" item in the top menu and under "Tasks" item in a project menu.

The tasks workflow

All stages where do you see "Failed" badge can get the corresponding stage during processing.