[{"data":1,"prerenderedAt":1469},["ShallowReactive",2],{"search-api":-1,"listing-tag-supply-chain-page-1":3},[4],{"_path":5,"_dir":6,"_draft":7,"_partial":7,"_locale":8,"title":9,"description":10,"id":11,"date":12,"listed":13,"nocomments":7,"hidden":7,"categories":14,"tags":15,"cover":20,"readingTime":21,"body":26,"_type":1463,"_id":1464,"_source":1465,"_file":1466,"_stem":1467,"_extension":1468},"/fr/dette-technique/dependabot-craft-gestion-dependances","dette-technique",false,"","Dependabot : configurer son coéquipier silencieux contre la dette de dépendances","Dependabot bien configuré vous évite des nuits à patcher la prochaine CVE critique. Guide craft : 7 tips, config YAML annotée, auto-merge intelligent.",61,"2026-05-01",true,[6],[16,17,6,18,19],"dependabot","supply-chain","sécurité","ia","covers/articles/dependabot-craft-gestion-dependances.jpg",{"text":22,"minutes":23,"time":24,"words":25},"11 min read",10.825,649500,2165,{"type":27,"children":28,"toc":1449},"root",[29,41,63,67,74,79,95,100,122,135,138,144,149,238,243,246,259,262,268,273,287,300,841,890,925,931,944,985,997,1003,1015,1020,1023,1029,1034,1051,1061,1094,1097,1103,1108,1213,1218,1223,1226,1232,1237,1242,1254,1266,1269,1275,1290,1303,1351,1402,1415,1428,1431,1443],{"type":30,"tag":31,"props":32,"children":33},"element","p",{},[34],{"type":30,"tag":35,"props":36,"children":37},"strong",{},[38],{"type":39,"value":40},"text","En décembre 2021, Log4Shell (CVE-2021-44228, score CVSS 10 sur 10) a tenu l'industrie entière debout tout un week-end. Une faille critique dans une librairie que presque personne n'avait choisie explicitement, et qui se cachait pourtant dans des dizaines de milliers de projets. Ce soir-là, d'innombrables équipes ont découvert la même chose : elles ne savaient pas ce qu'il y avait vraiment dans leur arbre de dépendances. C'est exactement ce genre de nuit que Dependabot bien configuré vous évite.",{"type":30,"tag":31,"props":42,"children":43},{},[44,46,53,55,61],{"type":39,"value":45},"Depuis, je n'ouvre plus un projet sans ce réflexe. Sur crmcoaching, le SaaS que je développe seul avec Claude, l'un des premiers fichiers que je versionne après le ",{"type":30,"tag":47,"props":48,"children":50},"code",{"className":49},[],[51],{"type":39,"value":52},"package.json",{"type":39,"value":54},", c'est ",{"type":30,"tag":47,"props":56,"children":58},{"className":57},[],[59],{"type":39,"value":60},"dependabot.yml",{"type":39,"value":62}," : versionné, audité, pensé. Pas l'activation par défaut que la majorité des projets laissent en l'état, mais une vraie configuration craft. Voici ce que j'applique au quotidien sur crmcoaching, ce que je vois rater en mission, et la méthode complète.",{"type":30,"tag":64,"props":65,"children":66},"hr",{},[],{"type":30,"tag":68,"props":69,"children":71},"h2",{"id":70},"pourquoi-vos-dépendances-pourrissent-plus-vite-en-2026",[72],{"type":39,"value":73},"Pourquoi vos dépendances pourrissent plus vite en 2026",{"type":30,"tag":31,"props":75,"children":76},{},[77],{"type":39,"value":78},"Le constat est chiffré, et il est sévère.",{"type":30,"tag":31,"props":80,"children":81},{},[82,84,93],{"type":39,"value":83},"Selon le ",{"type":30,"tag":85,"props":86,"children":90},"a",{"href":87,"rel":88},"https://snyk.io/reports/open-source-security/",[89],"nofollow",[91],{"type":39,"value":92},"Snyk Open Source Security Report 2024",{"type":39,"value":94},", les vulnérabilités de supply chain ont progressé de 156% entre 2023 et 2024. Sur la même période, GitClear documente que les équipes utilisant un assistant IA comme Claude ajoutent en moyenne 40% de dépendances en plus par projet. Le ratio est clair : on consomme plus, on audite moins.",{"type":30,"tag":31,"props":96,"children":97},{},[98],{"type":39,"value":99},"Je l'ai vu sur crmcoaching même. La séquence est toujours la même : je prompte Claude pour résoudre un problème, il me propose une lib externe (souvent une qu'il connaît depuis son training data, donc pas la version courante), je l'accepte parce qu'elle marche, et la dépendance entre dans le repo. Six mois plus tard, cette même lib a une CVE critique. Sans filet de sécurité, personne ne le sait, surtout quand on développe seul.",{"type":30,"tag":101,"props":102,"children":103},"blockquote",{},[104],{"type":30,"tag":31,"props":105,"children":106},{},[107,112,114,120],{"type":30,"tag":35,"props":108,"children":109},{},[110],{"type":39,"value":111},"Ce que j'ai observé",{"type":39,"value":113}," : un ",{"type":30,"tag":47,"props":115,"children":117},{"className":116},[],[118],{"type":39,"value":119},"pnpm list --depth=Infinity",{"type":39,"value":121}," sur crmcoaching listait plus de 1 000 dépendances transitives, pour une application que je connais pourtant ligne par ligne. La quasi-totalité n'avait jamais été ajoutée volontairement : elles sont arrivées dans les bagages de quelques dépendances directes. Et pourtant, chacune d'elles peut, demain matin, ouvrir une faille sur le paiement ou l'authentification de mes utilisateurs.",{"type":30,"tag":31,"props":123,"children":124},{},[125,127,133],{"type":39,"value":126},"Bruce Schneier a écrit que ",{"type":30,"tag":128,"props":129,"children":130},"em",{},[131],{"type":39,"value":132},"\"Security is a process, not a product\"",{"type":39,"value":134},". Dependabot n'est pas un produit que vous activez et que vous oubliez : c'est le squelette d'un processus craft de gestion de dépendances. Sans le squelette, vous codez en aveugle.",{"type":30,"tag":64,"props":136,"children":137},{},[],{"type":30,"tag":68,"props":139,"children":141},{"id":140},"les-4-signaux-que-votre-gestion-de-dépendances-dérive",[142],{"type":39,"value":143},"Les 4 signaux que votre gestion de dépendances dérive",{"type":30,"tag":31,"props":145,"children":146},{},[147],{"type":39,"value":148},"Demain matin, ouvrez votre repo principal et vérifiez ces 4 signaux. Si vous en cochez 2 ou plus, vous avez un problème.",{"type":30,"tag":150,"props":151,"children":152},"ul",{},[153,180,190,206],{"type":30,"tag":154,"props":155,"children":156},"li",{},[157,178],{"type":30,"tag":35,"props":158,"children":159},{},[160,162,168,170,176],{"type":39,"value":161},"Signal 1 : votre dernier audit de dépendances (",{"type":30,"tag":47,"props":163,"children":165},{"className":164},[],[166],{"type":39,"value":167},"pnpm audit",{"type":39,"value":169}," côté Node, ",{"type":30,"tag":47,"props":171,"children":173},{"className":172},[],[174],{"type":39,"value":175},"mvn dependency-check:check",{"type":39,"value":177}," côté Java, ou équivalent) date de plus de 30 jours.",{"type":39,"value":179}," Concrètement, vous ne savez pas combien de vulnérabilités critiques dorment dans votre arbre de dépendances. Mauvais signe.",{"type":30,"tag":154,"props":181,"children":182},{},[183,188],{"type":30,"tag":35,"props":184,"children":185},{},[186],{"type":39,"value":187},"Signal 2 : vos PR Dependabot s'accumulent en mode \"à traiter plus tard\".",{"type":39,"value":189}," Si vous voyez plus de 10 PR ouvertes depuis plus de 14 jours, votre filet de sécurité est devenu un cimetière.",{"type":30,"tag":154,"props":191,"children":192},{},[193,204],{"type":30,"tag":35,"props":194,"children":195},{},[196,198],{"type":39,"value":197},"Signal 3 : vous ne savez pas quelle est votre ",{"type":30,"tag":47,"props":199,"children":201},{"className":200},[],[202],{"type":39,"value":203},"time-to-patch",{"type":39,"value":205}," sur les CVE critiques. C'est le délai entre disclosure d'une CVE et son fix en prod. En dessous de 7 jours, vous êtes sain. Au-dessus de 30 jours, vous jouez à la roulette russe.",{"type":30,"tag":154,"props":207,"children":208},{},[209,229,231,236],{"type":30,"tag":35,"props":210,"children":211},{},[212,214,220,222,227],{"type":39,"value":213},"Signal 4 : vous avez des entrées ",{"type":30,"tag":47,"props":215,"children":217},{"className":216},[],[218],{"type":39,"value":219},"ignore",{"type":39,"value":221}," dans votre ",{"type":30,"tag":47,"props":223,"children":225},{"className":224},[],[226],{"type":39,"value":60},{"type":39,"value":228}," qui datent de plus de 6 mois.",{"type":39,"value":230}," Un ",{"type":30,"tag":47,"props":232,"children":234},{"className":233},[],[235],{"type":39,"value":219},{"type":39,"value":237}," est une dette que vous reportez. Si vous ne savez plus pourquoi vous l'avez mis, vous avez déjà perdu.",{"type":30,"tag":31,"props":239,"children":240},{},[241],{"type":39,"value":242},"Ces signaux ne sont pas théoriques. Je les ai vus, dans cet ordre, dans la majorité des équipes que j'ai accompagnées sur 2024 et 2025. Le 8ème signal arrive toujours : c'est l'incident.",{"type":30,"tag":64,"props":244,"children":245},{},[],{"type":30,"tag":247,"props":248,"children":253},"cta",{"cta":249,"href":250,"title":251,"type":252},"Coder comme un senior →","https://app.kamanga.fr/forms/mentoring","Vous voulez acquérir le réflexe d'auditer chaque dépendance avant qu'elle entre dans votre repo ?","call",[254],{"type":30,"tag":31,"props":255,"children":256},{},[257],{"type":39,"value":258},"Savoir lire un arbre de dépendances, flairer la lib que Claude propose en retard de 18 mois, juger quand un bump major mérite un ADR : ça ne se lit pas, ça se travaille. En mentoring 1:1, on relit votre vraie config Dependabot ensemble, je vous montre les arbitrages que je fais sur mes propres projets, et vous repartez avec le jugement qui transforme une alerte en décision sereine.",{"type":30,"tag":64,"props":260,"children":261},{},[],{"type":30,"tag":68,"props":263,"children":265},{"id":264},"comment-je-configure-dependabot-étape-par-étape",[266],{"type":39,"value":267},"Comment je configure Dependabot, étape par étape",{"type":30,"tag":31,"props":269,"children":270},{},[271],{"type":39,"value":272},"Voici la méthode que j'applique sur crmcoaching, et que je redéploie ensuite quand j'arrive en mission dans une équipe qui n'a pas (ou peu) de gestion de dépendances. Pas une checklist générique, mais ce que je fais vraiment, dans l'ordre.",{"type":30,"tag":274,"props":275,"children":277},"h3",{"id":276},"étape-1-le-dependabotyml-craft",[278,280,285],{"type":39,"value":279},"Étape 1 : le ",{"type":30,"tag":47,"props":281,"children":283},{"className":282},[],[284],{"type":39,"value":60},{"type":39,"value":286}," craft",{"type":30,"tag":31,"props":288,"children":289},{},[290,292,298],{"type":39,"value":291},"Je crée (ou je refais) le fichier ",{"type":30,"tag":47,"props":293,"children":295},{"className":294},[],[296],{"type":39,"value":297},".github/dependabot.yml",{"type":39,"value":299},". Voici la version courte de ma configuration de référence, celle que j'utilise sur crmcoaching (TypeScript, géré avec pnpm) et que je décline ensuite en mission sur des codebases Java/Maven :",{"type":30,"tag":301,"props":302,"children":306},"pre",{"className":303,"code":304,"language":305,"meta":8,"style":8},"language-yaml shiki shiki-themes catppuccin-frappe github-dark","version: 2\nupdates:\n  - package-ecosystem: \"npm\" # gère aussi pnpm et yarn\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n      day: \"monday\"\n      time: \"09:00\"\n    open-pull-requests-limit: 5\n    groups:\n      minor-and-patch:\n        patterns: [\"*\"]\n        update-types: [\"minor\", \"patch\"]\n    labels: [\"dependencies\", \"auto-review\"]\n    reviewers: [\"kamanga\"]\n    ignore:\n      - dependency-name: \"next\"\n        update-types: [\"version-update:semver-major\"]\n\n  - package-ecosystem: \"docker\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n\n  - package-ecosystem: \"github-actions\"\n    directory: \"/\"\n    schedule:\n      interval: \"weekly\"\n","yaml",[307],{"type":30,"tag":47,"props":308,"children":309},{"__ignoreMap":8},[310,334,348,379,397,410,428,446,464,482,495,508,536,572,607,633,646,669,694,703,724,740,752,768,776,797,813,825],{"type":30,"tag":311,"props":312,"children":315},"span",{"class":313,"line":314},"line",1,[316,322,328],{"type":30,"tag":311,"props":317,"children":319},{"style":318},"--shiki-default:#8CAAEE;--shiki-dark:#85E89D",[320],{"type":39,"value":321},"version",{"type":30,"tag":311,"props":323,"children":325},{"style":324},"--shiki-default:#81C8BE;--shiki-dark:#E1E4E8",[326],{"type":39,"value":327},":",{"type":30,"tag":311,"props":329,"children":331},{"style":330},"--shiki-default:#EF9F76;--shiki-dark:#79B8FF",[332],{"type":39,"value":333}," 2\n",{"type":30,"tag":311,"props":335,"children":337},{"class":313,"line":336},2,[338,343],{"type":30,"tag":311,"props":339,"children":340},{"style":318},[341],{"type":39,"value":342},"updates",{"type":30,"tag":311,"props":344,"children":345},{"style":324},[346],{"type":39,"value":347},":\n",{"type":30,"tag":311,"props":349,"children":351},{"class":313,"line":350},3,[352,358,363,367,373],{"type":30,"tag":311,"props":353,"children":355},{"style":354},"--shiki-default:#949CBB;--shiki-dark:#E1E4E8",[356],{"type":39,"value":357},"  -",{"type":30,"tag":311,"props":359,"children":360},{"style":318},[361],{"type":39,"value":362}," package-ecosystem",{"type":30,"tag":311,"props":364,"children":365},{"style":324},[366],{"type":39,"value":327},{"type":30,"tag":311,"props":368,"children":370},{"style":369},"--shiki-default:#A6D189;--shiki-dark:#9ECBFF",[371],{"type":39,"value":372}," \"npm\"",{"type":30,"tag":311,"props":374,"children":376},{"style":375},"--shiki-default:#737994;--shiki-default-font-style:italic;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit",[377],{"type":39,"value":378}," # gère aussi pnpm et yarn\n",{"type":30,"tag":311,"props":380,"children":382},{"class":313,"line":381},4,[383,388,392],{"type":30,"tag":311,"props":384,"children":385},{"style":318},[386],{"type":39,"value":387},"    directory",{"type":30,"tag":311,"props":389,"children":390},{"style":324},[391],{"type":39,"value":327},{"type":30,"tag":311,"props":393,"children":394},{"style":369},[395],{"type":39,"value":396}," \"/\"\n",{"type":30,"tag":311,"props":398,"children":400},{"class":313,"line":399},5,[401,406],{"type":30,"tag":311,"props":402,"children":403},{"style":318},[404],{"type":39,"value":405},"    schedule",{"type":30,"tag":311,"props":407,"children":408},{"style":324},[409],{"type":39,"value":347},{"type":30,"tag":311,"props":411,"children":413},{"class":313,"line":412},6,[414,419,423],{"type":30,"tag":311,"props":415,"children":416},{"style":318},[417],{"type":39,"value":418},"      interval",{"type":30,"tag":311,"props":420,"children":421},{"style":324},[422],{"type":39,"value":327},{"type":30,"tag":311,"props":424,"children":425},{"style":369},[426],{"type":39,"value":427}," \"weekly\"\n",{"type":30,"tag":311,"props":429,"children":431},{"class":313,"line":430},7,[432,437,441],{"type":30,"tag":311,"props":433,"children":434},{"style":318},[435],{"type":39,"value":436},"      day",{"type":30,"tag":311,"props":438,"children":439},{"style":324},[440],{"type":39,"value":327},{"type":30,"tag":311,"props":442,"children":443},{"style":369},[444],{"type":39,"value":445}," \"monday\"\n",{"type":30,"tag":311,"props":447,"children":449},{"class":313,"line":448},8,[450,455,459],{"type":30,"tag":311,"props":451,"children":452},{"style":318},[453],{"type":39,"value":454},"      time",{"type":30,"tag":311,"props":456,"children":457},{"style":324},[458],{"type":39,"value":327},{"type":30,"tag":311,"props":460,"children":461},{"style":369},[462],{"type":39,"value":463}," \"09:00\"\n",{"type":30,"tag":311,"props":465,"children":467},{"class":313,"line":466},9,[468,473,477],{"type":30,"tag":311,"props":469,"children":470},{"style":318},[471],{"type":39,"value":472},"    open-pull-requests-limit",{"type":30,"tag":311,"props":474,"children":475},{"style":324},[476],{"type":39,"value":327},{"type":30,"tag":311,"props":478,"children":479},{"style":330},[480],{"type":39,"value":481}," 5\n",{"type":30,"tag":311,"props":483,"children":485},{"class":313,"line":484},10,[486,491],{"type":30,"tag":311,"props":487,"children":488},{"style":318},[489],{"type":39,"value":490},"    groups",{"type":30,"tag":311,"props":492,"children":493},{"style":324},[494],{"type":39,"value":347},{"type":30,"tag":311,"props":496,"children":498},{"class":313,"line":497},11,[499,504],{"type":30,"tag":311,"props":500,"children":501},{"style":318},[502],{"type":39,"value":503},"      minor-and-patch",{"type":30,"tag":311,"props":505,"children":506},{"style":324},[507],{"type":39,"value":347},{"type":30,"tag":311,"props":509,"children":511},{"class":313,"line":510},12,[512,517,521,526,531],{"type":30,"tag":311,"props":513,"children":514},{"style":318},[515],{"type":39,"value":516},"        patterns",{"type":30,"tag":311,"props":518,"children":519},{"style":324},[520],{"type":39,"value":327},{"type":30,"tag":311,"props":522,"children":523},{"style":354},[524],{"type":39,"value":525}," [",{"type":30,"tag":311,"props":527,"children":528},{"style":369},[529],{"type":39,"value":530},"\"*\"",{"type":30,"tag":311,"props":532,"children":533},{"style":354},[534],{"type":39,"value":535},"]\n",{"type":30,"tag":311,"props":537,"children":539},{"class":313,"line":538},13,[540,545,549,553,558,563,568],{"type":30,"tag":311,"props":541,"children":542},{"style":318},[543],{"type":39,"value":544},"        update-types",{"type":30,"tag":311,"props":546,"children":547},{"style":324},[548],{"type":39,"value":327},{"type":30,"tag":311,"props":550,"children":551},{"style":354},[552],{"type":39,"value":525},{"type":30,"tag":311,"props":554,"children":555},{"style":369},[556],{"type":39,"value":557},"\"minor\"",{"type":30,"tag":311,"props":559,"children":560},{"style":354},[561],{"type":39,"value":562},",",{"type":30,"tag":311,"props":564,"children":565},{"style":369},[566],{"type":39,"value":567}," \"patch\"",{"type":30,"tag":311,"props":569,"children":570},{"style":354},[571],{"type":39,"value":535},{"type":30,"tag":311,"props":573,"children":575},{"class":313,"line":574},14,[576,581,585,589,594,598,603],{"type":30,"tag":311,"props":577,"children":578},{"style":318},[579],{"type":39,"value":580},"    labels",{"type":30,"tag":311,"props":582,"children":583},{"style":324},[584],{"type":39,"value":327},{"type":30,"tag":311,"props":586,"children":587},{"style":354},[588],{"type":39,"value":525},{"type":30,"tag":311,"props":590,"children":591},{"style":369},[592],{"type":39,"value":593},"\"dependencies\"",{"type":30,"tag":311,"props":595,"children":596},{"style":354},[597],{"type":39,"value":562},{"type":30,"tag":311,"props":599,"children":600},{"style":369},[601],{"type":39,"value":602}," \"auto-review\"",{"type":30,"tag":311,"props":604,"children":605},{"style":354},[606],{"type":39,"value":535},{"type":30,"tag":311,"props":608,"children":610},{"class":313,"line":609},15,[611,616,620,624,629],{"type":30,"tag":311,"props":612,"children":613},{"style":318},[614],{"type":39,"value":615},"    reviewers",{"type":30,"tag":311,"props":617,"children":618},{"style":324},[619],{"type":39,"value":327},{"type":30,"tag":311,"props":621,"children":622},{"style":354},[623],{"type":39,"value":525},{"type":30,"tag":311,"props":625,"children":626},{"style":369},[627],{"type":39,"value":628},"\"kamanga\"",{"type":30,"tag":311,"props":630,"children":631},{"style":354},[632],{"type":39,"value":535},{"type":30,"tag":311,"props":634,"children":636},{"class":313,"line":635},16,[637,642],{"type":30,"tag":311,"props":638,"children":639},{"style":318},[640],{"type":39,"value":641},"    ignore",{"type":30,"tag":311,"props":643,"children":644},{"style":324},[645],{"type":39,"value":347},{"type":30,"tag":311,"props":647,"children":649},{"class":313,"line":648},17,[650,655,660,664],{"type":30,"tag":311,"props":651,"children":652},{"style":354},[653],{"type":39,"value":654},"      -",{"type":30,"tag":311,"props":656,"children":657},{"style":318},[658],{"type":39,"value":659}," dependency-name",{"type":30,"tag":311,"props":661,"children":662},{"style":324},[663],{"type":39,"value":327},{"type":30,"tag":311,"props":665,"children":666},{"style":369},[667],{"type":39,"value":668}," \"next\"\n",{"type":30,"tag":311,"props":670,"children":672},{"class":313,"line":671},18,[673,677,681,685,690],{"type":30,"tag":311,"props":674,"children":675},{"style":318},[676],{"type":39,"value":544},{"type":30,"tag":311,"props":678,"children":679},{"style":324},[680],{"type":39,"value":327},{"type":30,"tag":311,"props":682,"children":683},{"style":354},[684],{"type":39,"value":525},{"type":30,"tag":311,"props":686,"children":687},{"style":369},[688],{"type":39,"value":689},"\"version-update:semver-major\"",{"type":30,"tag":311,"props":691,"children":692},{"style":354},[693],{"type":39,"value":535},{"type":30,"tag":311,"props":695,"children":697},{"class":313,"line":696},19,[698],{"type":30,"tag":311,"props":699,"children":700},{"emptyLinePlaceholder":13},[701],{"type":39,"value":702},"\n",{"type":30,"tag":311,"props":704,"children":706},{"class":313,"line":705},20,[707,711,715,719],{"type":30,"tag":311,"props":708,"children":709},{"style":354},[710],{"type":39,"value":357},{"type":30,"tag":311,"props":712,"children":713},{"style":318},[714],{"type":39,"value":362},{"type":30,"tag":311,"props":716,"children":717},{"style":324},[718],{"type":39,"value":327},{"type":30,"tag":311,"props":720,"children":721},{"style":369},[722],{"type":39,"value":723}," \"docker\"\n",{"type":30,"tag":311,"props":725,"children":727},{"class":313,"line":726},21,[728,732,736],{"type":30,"tag":311,"props":729,"children":730},{"style":318},[731],{"type":39,"value":387},{"type":30,"tag":311,"props":733,"children":734},{"style":324},[735],{"type":39,"value":327},{"type":30,"tag":311,"props":737,"children":738},{"style":369},[739],{"type":39,"value":396},{"type":30,"tag":311,"props":741,"children":743},{"class":313,"line":742},22,[744,748],{"type":30,"tag":311,"props":745,"children":746},{"style":318},[747],{"type":39,"value":405},{"type":30,"tag":311,"props":749,"children":750},{"style":324},[751],{"type":39,"value":347},{"type":30,"tag":311,"props":753,"children":755},{"class":313,"line":754},23,[756,760,764],{"type":30,"tag":311,"props":757,"children":758},{"style":318},[759],{"type":39,"value":418},{"type":30,"tag":311,"props":761,"children":762},{"style":324},[763],{"type":39,"value":327},{"type":30,"tag":311,"props":765,"children":766},{"style":369},[767],{"type":39,"value":427},{"type":30,"tag":311,"props":769,"children":771},{"class":313,"line":770},24,[772],{"type":30,"tag":311,"props":773,"children":774},{"emptyLinePlaceholder":13},[775],{"type":39,"value":702},{"type":30,"tag":311,"props":777,"children":779},{"class":313,"line":778},25,[780,784,788,792],{"type":30,"tag":311,"props":781,"children":782},{"style":354},[783],{"type":39,"value":357},{"type":30,"tag":311,"props":785,"children":786},{"style":318},[787],{"type":39,"value":362},{"type":30,"tag":311,"props":789,"children":790},{"style":324},[791],{"type":39,"value":327},{"type":30,"tag":311,"props":793,"children":794},{"style":369},[795],{"type":39,"value":796}," \"github-actions\"\n",{"type":30,"tag":311,"props":798,"children":800},{"class":313,"line":799},26,[801,805,809],{"type":30,"tag":311,"props":802,"children":803},{"style":318},[804],{"type":39,"value":387},{"type":30,"tag":311,"props":806,"children":807},{"style":324},[808],{"type":39,"value":327},{"type":30,"tag":311,"props":810,"children":811},{"style":369},[812],{"type":39,"value":396},{"type":30,"tag":311,"props":814,"children":816},{"class":313,"line":815},27,[817,821],{"type":30,"tag":311,"props":818,"children":819},{"style":318},[820],{"type":39,"value":405},{"type":30,"tag":311,"props":822,"children":823},{"style":324},[824],{"type":39,"value":347},{"type":30,"tag":311,"props":826,"children":828},{"class":313,"line":827},28,[829,833,837],{"type":30,"tag":311,"props":830,"children":831},{"style":318},[832],{"type":39,"value":418},{"type":30,"tag":311,"props":834,"children":835},{"style":324},[836],{"type":39,"value":327},{"type":30,"tag":311,"props":838,"children":839},{"style":369},[840],{"type":39,"value":427},{"type":30,"tag":31,"props":842,"children":843},{},[844,846,852,854,860,862,867,869,874,876,881,883,888],{"type":39,"value":845},"Trois choses comptent dans cette configuration. D'abord le ",{"type":30,"tag":47,"props":847,"children":849},{"className":848},[],[850],{"type":39,"value":851},"groups",{"type":39,"value":853}," qui rassemble minor et patch en une seule PR : c'est ce qui fait passer un repo de 30 PR par semaine à 3. Ensuite le ",{"type":30,"tag":47,"props":855,"children":857},{"className":856},[],[858],{"type":39,"value":859},"open-pull-requests-limit: 5",{"type":39,"value":861}," qui force le réalisme, parce que personne ne traite 15 PR Dependabot en parallèle. Enfin le ",{"type":30,"tag":47,"props":863,"children":865},{"className":864},[],[866],{"type":39,"value":219},{"type":39,"value":868}," ciblé sur les majors risquées (ici les montées majeures de Next.js, que je veux préparer avec un ADR et une fenêtre de migration avant d'accepter), avec une règle stricte : tout ",{"type":30,"tag":47,"props":870,"children":872},{"className":871},[],[873],{"type":39,"value":219},{"type":39,"value":875}," doit être documenté dans un commentaire qui dit ",{"type":30,"tag":128,"props":877,"children":878},{},[879],{"type":39,"value":880},"pourquoi",{"type":39,"value":882}," il existe et ",{"type":30,"tag":128,"props":884,"children":885},{},[886],{"type":39,"value":887},"jusqu'à quand",{"type":39,"value":889}," il reste valide.",{"type":30,"tag":31,"props":891,"children":892},{},[893,895,901,903,909,911,916,918,923],{"type":39,"value":894},"En mission sur une codebase Java/Maven, le quotidien du secteur bancaire, je remplace simplement ",{"type":30,"tag":47,"props":896,"children":898},{"className":897},[],[899],{"type":39,"value":900},"npm",{"type":39,"value":902}," par ",{"type":30,"tag":47,"props":904,"children":906},{"className":905},[],[907],{"type":39,"value":908},"maven",{"type":39,"value":910}," et l'",{"type":30,"tag":47,"props":912,"children":914},{"className":913},[],[915],{"type":39,"value":219},{"type":39,"value":917}," Next.js par un ",{"type":30,"tag":47,"props":919,"children":921},{"className":920},[],[922],{"type":39,"value":219},{"type":39,"value":924}," sur un bump de Spring Boot que je veux préparer avec un ADR. Le reste de la structure (groups, limit, schedule, labels) ne change pas. C'est ce qui fait qu'une fois la discipline acquise sur un repo, vous la portez en 10 minutes sur le suivant, quel que soit l'écosystème.",{"type":30,"tag":274,"props":926,"children":928},{"id":927},"étape-2-le-pipeline-dauto-merge-intelligent",[929],{"type":39,"value":930},"Étape 2 : le pipeline d'auto-merge intelligent",{"type":30,"tag":31,"props":932,"children":933},{},[934,936,942],{"type":39,"value":935},"Dependabot seul, c'est 50% du travail. Sans auto-merge, vous gardez la charge mentale de chaque PR. Voici ce que j'ajoute systématiquement, sous forme de GitHub Action ",{"type":30,"tag":47,"props":937,"children":939},{"className":938},[],[940],{"type":39,"value":941},".github/workflows/dependabot-auto-merge.yml",{"type":39,"value":943}," :",{"type":30,"tag":150,"props":945,"children":946},{},[947,957,967],{"type":30,"tag":154,"props":948,"children":949},{},[950,955],{"type":30,"tag":35,"props":951,"children":952},{},[953],{"type":39,"value":954},"Patch",{"type":39,"value":956}," : auto-merge si la CI est verte. Pas de discussion. Une mise à jour de patch ne casse rien, sauf si la CI dit le contraire.",{"type":30,"tag":154,"props":958,"children":959},{},[960,965],{"type":30,"tag":35,"props":961,"children":962},{},[963],{"type":39,"value":964},"Minor",{"type":39,"value":966}," : review humaine obligatoire, mais rapide. 5 minutes pour lire le changelog et valider.",{"type":30,"tag":154,"props":968,"children":969},{},[970,975,977,983],{"type":30,"tag":35,"props":971,"children":972},{},[973],{"type":39,"value":974},"Major",{"type":39,"value":976}," : ADR obligatoire. Pas de bump de major sans une ",{"type":30,"tag":85,"props":978,"children":980},{"href":979},"/fr/architecture-craft/adr-architecture-decision-record",[981],{"type":39,"value":982},"décision documentée par ADR",{"type":39,"value":984}," qui dit pourquoi, quel impact, et quel plan de rollback.",{"type":30,"tag":31,"props":986,"children":987},{},[988,990,995],{"type":39,"value":989},"Cette discipline tient parce qu'elle est asymétrique : on automatise le bas risque, on humanise le haut risque. C'est exactement ce que Martin Fowler décrit dans son article ",{"type":30,"tag":128,"props":991,"children":992},{},[993],{"type":39,"value":994},"ContinuousIntegration",{"type":39,"value":996}," : automatiser ce qui doit l'être pour libérer du temps pour ce qui ne peut pas l'être.",{"type":30,"tag":274,"props":998,"children":1000},{"id":999},"étape-3-la-métrique-qui-compte-vraiment",[1001],{"type":39,"value":1002},"Étape 3 : la métrique qui compte vraiment",{"type":30,"tag":31,"props":1004,"children":1005},{},[1006,1008,1013],{"type":39,"value":1007},"J'instaure une seule métrique de suivi : la ",{"type":30,"tag":47,"props":1009,"children":1011},{"className":1010},[],[1012],{"type":39,"value":203},{"type":39,"value":1014}," sur les CVE critiques. Pas le nombre de PR mergées, pas le pourcentage de dépendances à jour. Juste : combien de temps entre la disclosure d'une CVE critique et son fix en prod.",{"type":30,"tag":31,"props":1016,"children":1017},{},[1018],{"type":39,"value":1019},"Sur crmcoaching, je suis à 3 jours en moyenne entre la disclosure d'une CVE critique et son fix en prod. Au démarrage, sans discipline, j'étais à plusieurs semaines. En mission, je vois régulièrement des équipes partir de 40 jours et plus. La baisse n'est jamais linéaire, elle vient des trois leviers ci-dessus combinés.",{"type":30,"tag":64,"props":1021,"children":1022},{},[],{"type":30,"tag":68,"props":1024,"children":1026},{"id":1025},"les-3-erreurs-à-éviter",[1027],{"type":39,"value":1028},"Les 3 erreurs à éviter",{"type":30,"tag":31,"props":1030,"children":1031},{},[1032],{"type":39,"value":1033},"Toutes les équipes que j'ai accompagnées sur ce sujet sont passées par au moins une de ces trois erreurs. Évitez-vous le détour.",{"type":30,"tag":31,"props":1035,"children":1036},{},[1037,1049],{"type":30,"tag":35,"props":1038,"children":1039},{},[1040,1042,1047],{"type":39,"value":1041},"Erreur 1 : laisser Dependabot ouvrir 30 PR par semaine sans ",{"type":30,"tag":47,"props":1043,"children":1045},{"className":1044},[],[1046],{"type":39,"value":851},{"type":39,"value":1048},".",{"type":39,"value":1050}," Le bruit tue le signal. Les développeurs commencent à fermer les PR sans lire. C'est pire que pas de Dependabot du tout, parce que vous avez l'illusion d'être protégé.",{"type":30,"tag":31,"props":1052,"children":1053},{},[1054,1059],{"type":30,"tag":35,"props":1055,"children":1056},{},[1057],{"type":39,"value":1058},"Erreur 2 : auto-merger les minor et les major.",{"type":39,"value":1060}," C'est tentant, ça soulage la charge mentale, mais une seule mise à jour cassante en prod détruit toute la confiance dans le pipeline. Auto-merge sur le patch uniquement, sauf si vous avez une couverture de tests acceptance-level qui couvre vos vrais comportements métier.",{"type":30,"tag":31,"props":1062,"children":1063},{},[1064,1069,1071,1076,1078,1084,1086,1092],{"type":30,"tag":35,"props":1065,"children":1066},{},[1067],{"type":39,"value":1068},"Erreur 3 : oublier les dépendances transitives.",{"type":39,"value":1070}," Dependabot scanne ce qui est dans votre ",{"type":30,"tag":47,"props":1072,"children":1074},{"className":1073},[],[1075],{"type":39,"value":52},{"type":39,"value":1077}," ou votre ",{"type":30,"tag":47,"props":1079,"children":1081},{"className":1080},[],[1082],{"type":39,"value":1083},"pom.xml",{"type":39,"value":1085},". Mais les vulnérabilités se planquent souvent 3 ou 4 niveaux en dessous, dans des libs que vous n'avez jamais nommément ajoutées. C'est là que ",{"type":30,"tag":85,"props":1087,"children":1089},{"href":1088},"/fr/intelligence-artificielle/llm-securite-code-vulnerabilites",[1090],{"type":39,"value":1091},"les alertes de sécurité dédiées au code IA-généré",{"type":39,"value":1093}," complètent l'arsenal, pas en concurrent mais en complément.",{"type":30,"tag":64,"props":1095,"children":1096},{},[],{"type":30,"tag":68,"props":1098,"children":1100},{"id":1099},"ce-que-ça-change-concrètement",[1101],{"type":39,"value":1102},"Ce que ça change concrètement",{"type":30,"tag":31,"props":1104,"children":1105},{},[1106],{"type":39,"value":1107},"Sur les 4 dernières missions où j'ai déployé cette discipline, voici les chiffres avant/après, mesurés sur 6 mois.",{"type":30,"tag":1109,"props":1110,"children":1111},"table",{},[1112,1136],{"type":30,"tag":1113,"props":1114,"children":1115},"thead",{},[1116],{"type":30,"tag":1117,"props":1118,"children":1119},"tr",{},[1120,1126,1131],{"type":30,"tag":1121,"props":1122,"children":1123},"th",{},[1124],{"type":39,"value":1125},"Métrique",{"type":30,"tag":1121,"props":1127,"children":1128},{},[1129],{"type":39,"value":1130},"Avant",{"type":30,"tag":1121,"props":1132,"children":1133},{},[1134],{"type":39,"value":1135},"Après 6 mois",{"type":30,"tag":1137,"props":1138,"children":1139},"tbody",{},[1140,1159,1177,1195],{"type":30,"tag":1117,"props":1141,"children":1142},{},[1143,1149,1154],{"type":30,"tag":1144,"props":1145,"children":1146},"td",{},[1147],{"type":39,"value":1148},"Time-to-patch CVE critique",{"type":30,"tag":1144,"props":1150,"children":1151},{},[1152],{"type":39,"value":1153},"32 jours en moyenne",{"type":30,"tag":1144,"props":1155,"children":1156},{},[1157],{"type":39,"value":1158},"6 jours en moyenne",{"type":30,"tag":1117,"props":1160,"children":1161},{},[1162,1167,1172],{"type":30,"tag":1144,"props":1163,"children":1164},{},[1165],{"type":39,"value":1166},"Nombre de PR Dependabot ouvertes plus de 14 jours",{"type":30,"tag":1144,"props":1168,"children":1169},{},[1170],{"type":39,"value":1171},"18 en moyenne",{"type":30,"tag":1144,"props":1173,"children":1174},{},[1175],{"type":39,"value":1176},"2 en moyenne",{"type":30,"tag":1117,"props":1178,"children":1179},{},[1180,1185,1190],{"type":30,"tag":1144,"props":1181,"children":1182},{},[1183],{"type":39,"value":1184},"Incidents prod liés à une CVE supply chain",{"type":30,"tag":1144,"props":1186,"children":1187},{},[1188],{"type":39,"value":1189},"2 par an",{"type":30,"tag":1144,"props":1191,"children":1192},{},[1193],{"type":39,"value":1194},"0",{"type":30,"tag":1117,"props":1196,"children":1197},{},[1198,1203,1208],{"type":30,"tag":1144,"props":1199,"children":1200},{},[1201],{"type":39,"value":1202},"Heures dev consacrées à la gestion des dépendances",{"type":30,"tag":1144,"props":1204,"children":1205},{},[1206],{"type":39,"value":1207},"6h par semaine",{"type":30,"tag":1144,"props":1209,"children":1210},{},[1211],{"type":39,"value":1212},"1h30 par semaine",{"type":30,"tag":31,"props":1214,"children":1215},{},[1216],{"type":39,"value":1217},"Le gain n'est pas que technique, il est économique. Une heure de dev senior coûte entre 80 et 150 euros chargée. Économiser 4 heures et demie par semaine, c'est 18 000 à 35 000 euros par an. Pour une équipe de 5 développeurs, cette discipline financière paie son installation en 3 semaines.",{"type":30,"tag":31,"props":1219,"children":1220},{},[1221],{"type":39,"value":1222},"C'est ce que je dis aux CTOs qui hésitent : Dependabot n'est pas un sujet d'engineering, c'est un sujet d'allocation de capital.",{"type":30,"tag":64,"props":1224,"children":1225},{},[],{"type":30,"tag":68,"props":1227,"children":1229},{"id":1228},"conclusion",[1230],{"type":39,"value":1231},"Conclusion",{"type":30,"tag":31,"props":1233,"children":1234},{},[1235],{"type":39,"value":1236},"Ce que je veux que vous reteniez de cet article, c'est que la gestion de dépendances n'est pas une tâche d'hygiène que vous traitez quand vous aurez le temps. C'est un processus craft, au même titre que la code review ou les tests. Et comme tout processus craft, il a besoin d'un squelette automatisé pour tenir dans la durée.",{"type":30,"tag":31,"props":1238,"children":1239},{},[1240],{"type":39,"value":1241},"L'IA accélère la production de code. Elle accélère aussi la production de dette de dépendances. Dependabot est un des rares outils où l'automatisation ne remplace pas le jugement : elle libère du temps pour l'exercer là où il compte vraiment, sur les majors, les CVE critiques, les choix architecturaux. C'est exactement ce que je cherche dans une bonne discipline craft.",{"type":30,"tag":31,"props":1243,"children":1244},{},[1245,1247,1252],{"type":39,"value":1246},"Si en lisant ces lignes vous avez reconnu votre situation, vous avez deux choix. Vous pouvez attendre votre prochain Log4Shell. Ou vous pouvez commencer lundi matin, par un seul fichier ",{"type":30,"tag":47,"props":1248,"children":1250},{"className":1249},[],[1251],{"type":39,"value":60},{"type":39,"value":1253}," versionné, et bâtir la suite.",{"type":30,"tag":247,"props":1255,"children":1260},{"cta":1256,"href":1257,"title":1258,"type":1259},"Les 100 pratiques que l'IA n'enseigne pas →","https://kamanga.fr/referentiel-craft","La gestion de dépendances n'est qu'une des 100 pratiques qui font un code de senior","product",[1261],{"type":30,"tag":31,"props":1262,"children":1263},{},[1264],{"type":39,"value":1265},"Configurer Dependabot en craft, c'est une seule pratique parmi celles qui séparent un dev qui subit sa dette d'un dev qui la pilote. Le Craft Bundle réunit les 100 pratiques que j'applique pour coder propre, de la gestion de dépendances aux ADR en passant par la review : exactement celles que l'IA ne vous apprendra jamais, parce qu'elle ne les a jamais vues tenir en prod.",{"type":30,"tag":64,"props":1267,"children":1268},{},[],{"type":30,"tag":68,"props":1270,"children":1272},{"id":1271},"faq-sur-dependabot-et-la-gestion-de-dépendances",[1273],{"type":39,"value":1274},"FAQ sur Dependabot et la gestion de dépendances",{"type":30,"tag":1276,"props":1277,"children":1278},"details",{},[1279,1285],{"type":30,"tag":1280,"props":1281,"children":1282},"summary",{},[1283],{"type":39,"value":1284},"1. Dependabot ou Renovate : lequel choisir ?",{"type":30,"tag":31,"props":1286,"children":1287},{},[1288],{"type":39,"value":1289},"Dependabot est gratuit, intégré nativement à GitHub, et largement suffisant pour la majorité des équipes. Renovate est plus puissant (règles plus fines, plus d'écosystèmes, monorepo natif) mais demande plus de temps de configuration. Mon conseil : commencez par Dependabot. Si au bout de 6 mois vous trouvez ses limites (vous le saurez), passez à Renovate. Mais ne commencez pas par Renovate, vous perdrez 2 semaines avant la première PR utile.",{"type":30,"tag":1276,"props":1291,"children":1292},{},[1293,1298],{"type":30,"tag":1280,"props":1294,"children":1295},{},[1296],{"type":39,"value":1297},"2. Faut-il auto-merger les patch updates ?",{"type":30,"tag":31,"props":1299,"children":1300},{},[1301],{"type":39,"value":1302},"Oui, à une condition : votre CI doit être verte, complète, et fiable. Si votre couverture de tests est faible (moins de 60% sur les chemins critiques), n'auto-mergez rien. Renforcez d'abord les tests, puis activez l'auto-merge sur patch uniquement. Jamais sur minor ou major sans review humaine.",{"type":30,"tag":1276,"props":1304,"children":1305},{},[1306,1311],{"type":30,"tag":1280,"props":1307,"children":1308},{},[1309],{"type":39,"value":1310},"3. Comment gérer les dépendances qu'on ne peut pas mettre à jour (lock sur une vieille version) ?",{"type":30,"tag":31,"props":1312,"children":1313},{},[1314,1316,1321,1323,1328,1330,1335,1337,1342,1344,1350],{"type":39,"value":1315},"Utilisez le bloc ",{"type":30,"tag":47,"props":1317,"children":1319},{"className":1318},[],[1320],{"type":39,"value":219},{"type":39,"value":1322}," du ",{"type":30,"tag":47,"props":1324,"children":1326},{"className":1325},[],[1327],{"type":39,"value":60},{"type":39,"value":1329},", mais avec une règle stricte : tout ",{"type":30,"tag":47,"props":1331,"children":1333},{"className":1332},[],[1334],{"type":39,"value":219},{"type":39,"value":1336}," doit être documenté (commentaire YAML expliquant pourquoi et jusqu'à quand) et révisé tous les 3 mois. Un ",{"type":30,"tag":47,"props":1338,"children":1340},{"className":1339},[],[1341],{"type":39,"value":219},{"type":39,"value":1343}," non documenté devient une dette technique cachée. Vous remplacez un problème de sécurité par un problème d'oubli, ce qui est exactement le mécanisme décrit dans cet article sur ",{"type":30,"tag":85,"props":1345,"children":1347},{"href":1346},"/fr/dette-technique/legacy-code-evaluer-risque",[1348],{"type":39,"value":1349},"l'évaluation du risque legacy",{"type":39,"value":1048},{"type":30,"tag":1276,"props":1352,"children":1353},{},[1354,1359],{"type":30,"tag":1280,"props":1355,"children":1356},{},[1357],{"type":39,"value":1358},"4. Dependabot crée trop de PR, comment réduire le bruit ?",{"type":30,"tag":31,"props":1360,"children":1361},{},[1362,1364,1369,1371,1376,1378,1384,1386,1392,1394,1400],{"type":39,"value":1363},"Trois leviers, dans cet ordre. Premièrement, regroupez les minor et patch via la clé ",{"type":30,"tag":47,"props":1365,"children":1367},{"className":1366},[],[1368],{"type":39,"value":851},{"type":39,"value":1370},". C'est ce qui divise le bruit par 10. Deuxièmement, limitez avec ",{"type":30,"tag":47,"props":1372,"children":1374},{"className":1373},[],[1375],{"type":39,"value":859},{"type":39,"value":1377},". Troisièmement, espacez le ",{"type":30,"tag":47,"props":1379,"children":1381},{"className":1380},[],[1382],{"type":39,"value":1383},"schedule",{"type":39,"value":1385}," à ",{"type":30,"tag":47,"props":1387,"children":1389},{"className":1388},[],[1390],{"type":39,"value":1391},"weekly",{"type":39,"value":1393}," plutôt que ",{"type":30,"tag":47,"props":1395,"children":1397},{"className":1396},[],[1398],{"type":39,"value":1399},"daily",{"type":39,"value":1401},". Avec ces trois réglages, vous passez de 30 PR par semaine à 3 ou 4.",{"type":30,"tag":1276,"props":1403,"children":1404},{},[1405,1410],{"type":30,"tag":1280,"props":1406,"children":1407},{},[1408],{"type":39,"value":1409},"5. Et le code IA-généré qui pull des dépendances obsolètes ?",{"type":30,"tag":31,"props":1411,"children":1412},{},[1413],{"type":39,"value":1414},"C'est exactement le scénario contre lequel Dependabot protège. Claude pulle des libs qu'il connaît depuis son training data, souvent en retard de 12 à 18 mois sur la version courante. Dependabot rattrape ces écarts à la PR suivante. La discipline craft à ajouter : auditer chaque dépendance que Claude propose avant de l'accepter dans le code. C'est un réflexe à 30 secondes qui évite des heures de remédiation.",{"type":30,"tag":1276,"props":1416,"children":1417},{},[1418,1423],{"type":30,"tag":1280,"props":1419,"children":1420},{},[1421],{"type":39,"value":1422},"6. Quel est le ROI réel d'une bonne configuration Dependabot ?",{"type":30,"tag":31,"props":1424,"children":1425},{},[1426],{"type":39,"value":1427},"Sur les 4 missions où j'ai mesuré, le ROI se situe entre 18 000 et 35 000 euros par an pour une équipe de 5 développeurs. Le calcul est simple : 4 à 5 heures de dev économisées par semaine, à un coût chargé de 80 à 150 euros l'heure. Sans compter les incidents évités, dont le coût unitaire peut dépasser 50 000 euros pour une CVE critique en prod.",{"type":30,"tag":64,"props":1429,"children":1430},{},[],{"type":30,"tag":247,"props":1432,"children":1437},{"cta":1433,"href":1434,"title":1435,"type":1436},"Évaluer la maturité de mon équipe →","/mes-ressources","Ressource gratuite : Engineering Maturity Assessment","resource",[1438],{"type":30,"tag":31,"props":1439,"children":1440},{},[1441],{"type":39,"value":1442},"L'EMA est l'outil que je propose au début de chaque mission. Il mesure la maturité de votre équipe sur plusieurs axes engineering, dont la dette technique, le delivery, la gouvernance IA et l'architecture. La gestion de dépendances en est un sous-axe. Quelques minutes pour avoir une vision claire de votre passif engineering, et savoir où concentrer vos efforts en priorité.",{"type":30,"tag":1444,"props":1445,"children":1446},"style",{},[1447],{"type":39,"value":1448},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":8,"searchDepth":336,"depth":336,"links":1450},[1451,1452,1453,1459,1460,1461,1462],{"id":70,"depth":336,"text":73},{"id":140,"depth":336,"text":143},{"id":264,"depth":336,"text":267,"children":1454},[1455,1457,1458],{"id":276,"depth":350,"text":1456},"Étape 1 : le dependabot.yml craft",{"id":927,"depth":350,"text":930},{"id":999,"depth":350,"text":1002},{"id":1025,"depth":336,"text":1028},{"id":1099,"depth":336,"text":1102},{"id":1228,"depth":336,"text":1231},{"id":1271,"depth":336,"text":1274},"markdown","content:fr:dette-technique:dependabot-craft-gestion-dependances.md","content","fr/dette-technique/dependabot-craft-gestion-dependances.md","fr/dette-technique/dependabot-craft-gestion-dependances","md",1782669256792]