Learn How To Make Automated Dependency Updates Easily With Dependabot

Featured image

Every time we start a new project is almost the same story. We might have the big picture and we start to install and to stack libraries and other dependencies to finish a task. After a couple development cycles we have just lost control of our libraries. That package.json is kilometric and no one knows what is really needed and to make it worse, even what we actually need is outdated. Nobody will touch that pile of dependencies fearing to break something and to be honest, we all ignore it as long as everything works. Vulnerabilities, bug fixes and new features are important factors of all projects, and that is because staying up to date is the most secure strategy.

About Dependabot

Is a dependable robot who’ll keep your dependencies up to date for you. It’s free of charge because it has been acquired by GitHub and it’s ready to be integrated with your projects. There are many supported languages like JavaScript, Python and even Terraform and Docker are in the list.

dependabot logo

How It Works

On a daily basis or in a time stipulated by the user, Dependabot looks for any outdated dependencies and if anything is outdated, it opens a Pull Request for each finding. Then the update can be included by accepting the Pull Request saving the day bringing automation. Each Pull Requests includes release notes, changelogs, commit links and detailed information.

dependabot example

Get Started

To start using Dependabot connect a GitHub account to it, but since Dependabot is moving natively into GitHub we can setup the configuration in .github/dependabot.yml file in a repository. What I like about this is the simplicity and how easy to read this file is.

version: 2
  - package-ecosystem: npm
    directory: "/"
      interval: weekly
    open-pull-requests-limit: 10
    target-branch: development
      - hndoss

Automation Itself Isn’t The Answer

In on the other hand, automation can be dangerous if we are not careful. Often automation problems are not related to the mechanism or functionality of the tools but in the process to manage them. Automatically opening Pull Requests will only bring you spam if a healthy review/merge process has not been implemented. We can easily get overwhelmed by the count results, and like we do with our clothes, it’s easier to do it on a weekly basis, rather than letting it all pile up for a month.