2 min to read
Learn How To Make Automated Dependency Updates Easily With Dependabot
Every time we start a new project is almost the same story. We might have the big picture and we start to install and to stack libraries and other dependencies to finish a task. After a couple development cycles we have just lost control of our libraries. That
package.json is kilometric and no one knows what is really needed and to make it worse, even what we actually need is outdated. Nobody will touch that pile of dependencies fearing to break something and to be honest, we all ignore it as long as everything works. Vulnerabilities, bug fixes and new features are important factors of all projects, and that is because staying up to date is the most secure strategy.
How It Works
On a daily basis or in a time stipulated by the user, Dependabot looks for any outdated dependencies and if anything is outdated, it opens a Pull Request for each finding. Then the update can be included by accepting the Pull Request saving the day bringing automation. Each Pull Requests includes release notes, changelogs, commit links and detailed information.
To start using Dependabot connect a GitHub account to it, but since Dependabot is moving natively into GitHub we can setup the configuration in
.github/dependabot.yml file in a repository. What I like about this is the simplicity and how easy to read this file is.
version: 2 updates: - package-ecosystem: npm directory: "/" schedule: interval: weekly open-pull-requests-limit: 10 target-branch: development reviewers: - hndoss
Automation Itself Isn’t The Answer
In on the other hand, automation can be dangerous if we are not careful. Often automation problems are not related to the mechanism or functionality of the tools but in the process to manage them. Automatically opening Pull Requests will only bring you spam if a healthy review/merge process has not been implemented. We can easily get overwhelmed by the count results, and like we do with our clothes, it’s easier to do it on a weekly basis, rather than letting it all pile up for a month.