If you want to be a productive programmer you likely want to take advantage of libraries, plugins, and frameworks that other people have made. Why not stand on the shoulders of giants, right? Libraries like lodash and redux have been pounded on for years, so it generally makes sense to take advantage of quality that’s been built up over years of commits. But unfortunately there’s a dark side-effect of all of this sharing... security vulnerabilities.
It’s not as common as haters of NodeJS/NPM would like you to believe, but vulnerabilities do crop up in popular libraries. But thanks to the bounty prizes that NPM makes available, payers of NPM Enterprise find out about exploits sooner than the general public. But you say, “wait— I don’t pay for NPM Enterprise... so what about me?” That’s when Dependabot comes in.
Dependabot will automatically PR your github repository and attempt to merge the PR if the unit tests pass. That means that as soon as a fix for a vulnerability is published... your code is going to get the fix.
I’m all about living in the present but still protecting the future. In fact, that’s one of the core topics at CubicleBuddha.com. So that’s why I use Dependabot to help me do the minimum amount of work to stay vigilant. I’ve heard it said that the best programmers are the laziest ones— because those are the programmers who will find a creative way to do less work. Jokes aside: time is precious and why not spend more time creating features that help your users.
Other reasons you should care to use Dependabot:
- your favorite UI widget library fixes an accessibility issue and now you can get free help out quickly
- you work at a big company and you want to make sure all of your teams stay on a consistent version of a private library. Dependabot can save you tons of meetings and governance
So now that Dependabot is free (thanks Github and Microsoft!), go integrate it into your repo and enjoy getting back to your life. :)