Topics include Supply Chain Security, Vulnerability Management, Neat Tricks, and Contributor insights.
At the Ortelius Open Source Project, we’re always working behind the scenes to make our platform more powerful, secure, and reliable. A big part of that is managing the “ingredients” that keep Ortelius running smoothly—its software dependencies.
Keeping those dependencies up to date is crucial for security, performance, and compatibility. But routine updates, especially the safe ones, can clutter developer workflows and distract from meaningful work. That’s why we’re building a smart automated bot to handle safe, low-risk dependency upgrades—so our developers don’t have to.
The Ortelius MCP server is designed to accelerate developer productivity by proactively managing software dependencies and mitigating Common Vulnerabilities and Exposures (CVEs) across Git repositories. Our automated dependency bot service is a crucial component of this ecosystem, aiming to streamline safe dependency file upgrades with minimal developer intervention.
Repository Scanning and Dependency Analysis:
The bot periodically scans configured repositories, leveraging integrations with package managers such as npm, PyPI, and Maven to identify outdated dependencies. It fetches package metadata and checks for known vulnerabilities using the Ortelius MCP’s SBOM lookup and API MCP integrations.
Risk Assessment and Classification:
Using advanced risk analysis algorithms, the bot evaluates each candidate update based on:
Automated Branch Creation and PR Generation:
For updates deemed low-risk or trusted, the bot:
Sandbox Testing Environment:
Before PR creation, updates are deployed to an isolated sandbox environment replicating production conditions. This environment runs comprehensive automated test suites integrated via CI/CD pipelines to verify that no functionality is broken by the dependency change. Only upon passing all tests does the bot proceed to PR creation.
Flagging and Manual Review:
Updates flagged as risky or ambiguous are logged and flagged for manual developer review, preventing potential instability.
This bot isn’t just a convenience—it’s a long-term investment in the future of Ortelius. By automating the routine, we empower our people to do what they do best: innovate, collaborate, and grow the platform for everyone.
Stay tuned for more updates—we’re just getting started!
Jing Chen Jing specializes in driving enterprise-wide digital transformation and delivering significant financial and operational improvements across financial services. With a proven track record of steering complex, large-scale IT programmes from conception to successful completion, she empowers organizations to achieve measurable outcomes, including multi-million dollar budget savings and substantial reductions in manual work and business downtime through strategic automation and DevSecOps initiatives. Her leadership style fosters collaboration and focuses relentlessly on impactful results, building strong stakeholder relationships at all levels.