Why Automated Dependency Updates Matter for MTD Security
Why Automated Dependency Updates Matter for MTD Security
Release: v1.0.418 | Control: SEC-27 | Category: Dependency Security
Overview
As part of our ongoing security programme, audit control SEC-27 flagged the absence of an automated dependency update configuration in the platform repository. This post explains what that means, why it matters in the context of a Making Tax Digital (MTD) compliance platform, and what the recommended remediation looks like.
The Finding
No .github/dependabot.yml or renovate.json file was present in the repository. As a result, security patches published to npm for any of the platform's direct dependencies are not automatically surfaced as pull requests. Updates only occur when a developer manually runs npm update — a process that has no guaranteed cadence and is easy to deprioritise during active feature development.
Why This Matters
The platform handles sensitive taxpayer data and connects directly to HMRC via OAuth. Its dependency tree includes several packages where a disclosed CVE could have real consequences:
| Package | Risk Area |
|---|---|
next (Next.js) | Framework-level RCE, header injection, and SSR vulnerabilities |
next-auth / Auth.js | Session handling, OAuth token management, credential exposure |
drizzle-orm | SQL query construction; injection surface |
| Stripe SDK | Payment data handling; PCI scope |
@sentry/* | Data captured in error payloads; potential PII leakage |
bcryptjs | Password hashing correctness; cryptographic correctness |
When a CVE is disclosed for any of these packages, the window between public disclosure and patch availability is typically hours to days. Without automated update proposals, the practical window before a patch is applied to this platform could be weeks or longer.
Recommended Configuration
Create .github/dependabot.yml in the repository root with the following content:
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
open-pull-requests-limit: 10
allow:
- dependency-type: direct
groups:
minor-and-patch:
update-types:
- minor
- patch
Configuration Decisions Explained
package-ecosystem: npm
Targets the package.json / package-lock.json at the repository root.
schedule: interval: weekly
Runs every week. This balances responsiveness with PR volume — Dependabot will batch updates rather than opening a PR for every individual release.
open-pull-requests-limit: 10
Caps concurrent open Dependabot PRs at 10, preventing the pull request queue from becoming overwhelming.
allow: dependency-type: direct
Focuses only on packages listed in dependencies and devDependencies, not transitive dependencies. This keeps the signal-to-noise ratio high; transitive dependency vulnerabilities are surfaced through other controls (e.g., npm audit).
groups: minor-and-patch
Batches minor and patch updates into a single PR per cycle rather than one PR per package. Major version bumps are left ungrouped so they receive individual review.
What Happens After Configuration
Once .github/dependabot.yml is committed to the default branch:
- GitHub reads the configuration and schedules the first dependency scan.
- Within the first weekly window, Dependabot opens PRs for any outdated direct dependencies.
- Each PR includes a changelog summary, compatibility score, and links to the upstream release notes.
- Security-classified updates (those tied to a GitHub Advisory) are opened immediately, regardless of the weekly schedule.
- PRs can be reviewed, tested against CI, and merged like any other pull request.
Relationship to MTD Compliance
HMRC's MTD ITSA mandate requires that software vendors maintain the integrity and security of data submitted on behalf of taxpayers. Keeping dependencies patched is a foundational control in any software security programme and directly supports:
- Data integrity — preventing injection or tampering vulnerabilities
- Authentication security — keeping OAuth and session libraries current
- Audit readiness — demonstrating a documented, repeatable process for dependency hygiene
Addressing SEC-27 closes a gap in the platform's automated security posture and reduces mean time to patch (MTTP) for disclosed vulnerabilities.