Dependency Update¶
stagefreight dependency update resolves outdated dependencies, applies updates, runs verification, and generates artifacts for review or CI consumption.
Current ecosystem support: Go modules (go.mod) and Dockerfile base image tags (FROM directives). Additional ecosystems are planned but not yet implemented.
CLI Usage¶
| Flag | Default | Description |
|---|---|---|
--dry-run |
false |
Resolve and report without applying changes |
--bundle |
false |
Include deps-updated.tgz artifact |
--no-verify |
false |
Skip go test after update |
--no-vulncheck |
false |
Skip govulncheck after update |
--ecosystem |
all | Filter to specific ecosystem(s) |
--output |
.stagefreight/deps |
Output directory for artifacts |
--policy |
all |
Update policy: all, security |
Exit codes: 0 success, 1 verify failure (tests failed after update), 2 update failure.
Arguments: [path] is the root directory to scan. Defaults to the current working directory.
Examples¶
# Preview what would be updated (no changes written)
stagefreight dependency update --dry-run
# Apply all updates with verification
stagefreight dependency update
# Security-only updates, skip tests
stagefreight dependency update --policy security --no-verify
# Target a specific repo path
stagefreight dependency update /path/to/repo
Artifacts¶
On success, three files are written to the output directory:
| File | Description |
|---|---|
resolve.json |
Machine-readable resolution: all deps, versions, CVEs |
deps-report.md |
Human-readable summary of applied/skipped updates |
deps.patch |
Git diff of all changes (for CI merge request workflows) |
With --bundle, an additional deps-updated.tgz is generated containing all artifacts.
Go Toolchain Resolution¶
dependency update needs a Go toolchain to run go get and go mod tidy. Rather than requiring Go to be pre-installed, StageFreight uses a multi-strategy resolver that tries these approaches in order:
Strategy 1: Native (go in PATH)¶
Standard developer machine or CI stage with Go installed. Zero overhead.
Strategy 2: Toolcache (STAGEFREIGHT_GO_HOME or /toolcache/go)¶
Checks $STAGEFREIGHT_GO_HOME/bin/go first, then /toolcache/go/bin/go. Designed for Kubernetes pods where an initContainer downloads the Go toolchain into a shared emptyDir volume before StageFreight starts. No Docker daemon, no RBAC, no pod creation required.
Strategy 3: Container runtime (docker/podman/nerdctl)¶
Falls back to running Go inside a container. Detects docker, podman, or nerdctl (first found wins). Parses the go directive from go.mod (or toolchain directive if present) to select the matching golang:<ver>-alpine image.
The container runner:
- Mounts the repo root as
/srcwith the module directory as the working directory - Runs as the current user (
--user uid:gid) to avoid root-owned file writes - Sets
HOME,GOCACHE, andGOMODCACHEto/tmppaths inside the container - Forwards
GOPROXY,GOPRIVATE,GONOSUMDB,GONOPROXY,GOFLAGS,HTTP_PROXY,HTTPS_PROXY, andNO_PROXYfrom the host environment - Uses
--pull=missingfor consistent behavior across CI nodes
Strategy 4: Error¶
If none of the above are available, a clear error is returned:
go toolchain not found: install Go, set STAGEFREIGHT_GO_HOME, or ensure a container runtime (docker/podman/nerdctl) is available
Verification¶
After applying updates, StageFreight runs verification (unless --no-verify / --no-vulncheck):
go test ./...on every updated module directory, using the same toolchain strategy as the update itself.govulncheck ./...viago run golang.org/x/vuln/cmd/govulncheck@latest, so it works across all strategies without requiring a pre-installedgovulncheckbinary.
Running from the StageFreight Container Image¶
When running dependency update from the published container image (e.g., in CI), the Go toolchain is not included in the image. The container runner strategy (strategy 3) activates automatically when a Docker socket is available.
# The mount path MUST match the host path so the inner golang container
# can resolve it from the Docker daemon's perspective.
docker run --rm \
-v /path/to/repo:/path/to/repo \
-v /var/run/docker.sock:/var/run/docker.sock \
-w /path/to/repo \
--user "$(id -u):$(id -g)" \
--group-add "$(stat -c '%g' /var/run/docker.sock)" \
docker.io/prplanit/stagefreight:latest-dev \
stagefreight dependency update
Key detail: The -v mount path must be the real host path (not an alias like /src). The container runner spawns a sibling container via the Docker socket, and the Docker daemon resolves volume mounts relative to the host filesystem. A mismatched path (e.g., -v /host/repo:/src then the inner container tries -v /src:/src) will silently mount the wrong directory or fail.
For Kubernetes with DinD sidecars, ensure the workspace volume mount uses the same path in both the StageFreight container and the Docker daemon's view of the filesystem.
Workspace Mode¶
Go workspaces (go.work) are supported. When a go.work file is detected at the repo root, updates use go -C <module-dir> with relative paths instead of changing the working directory. This works correctly across all toolchain strategies.
Configuration¶
Dependency update behavior is controlled by the lint.modules.freshness block in .stagefreight.yml. See Linter Configuration for the full freshness module schema including ecosystems, severity thresholds, ignore patterns, and package rules.