DEV Community

Cover image for How to keep your repo package dependencies up to date automatically
Danilo Assis
Danilo Assis

Posted on • Updated on

How to keep your repo package dependencies up to date automatically

Photo by Andrea De Santis on Unsplash


Learn how to implement the dependabot to update automatically your dependencies, open a pr with the dep updated, run tests inside of this pull request, and merge automatically if is a success.

Daily Tasks as a Developer

The work of a developer usually refers to those Hollywood movies in which a smart person or a hacker is typing while we see various codes in green colors on the screen. Or black rooms where the light of the monitor is the only thing you can see.

But, the developer's work is like most works. It will have problems to solve every day, daily tasks to understand, and think what is the best way to fix it. And, like any other work, it will have daily tasks that could take time from our day.

You can compare a dev routine like having a restaurant. Every day that you come into your restaurant you must: open the windows, turn on the lights, clear the floor, wash some dishes, open the chairs, whatever, as I said: daily tasks.

Updating the dependencies of my packages is one of these daily tasks. And, as the project starts to grow up, starts to be harder to keep this manually.


Working with GitHub actions tasks are easier to abstract and to do it with this task let's create:

  • The dependabot configuration that will open daily a new pull request updating a specific dependence.
  • The GitHub action responsible to run the tests from the application inside of this pull request opened
  • The Github action responsible to merge this pull request if the checks inside of the pull request result in success.

Description of the automation flow

These flows work together. So, it is important to write tests to have the dependabot working every day and these tests being responsible to identify problems with the updates.

Dependabot Config

Let's add a configuration to run daily a dependabot looking for updates from dependencies inside the application.

  • inside your project on root probably will have a folder named .github. If don't, create manually by now.
  • create a new file inside of it and name as dependabot.yml
  • place the code below
version: 2
  - package-ecosystem: npm
    directory: '/'
      interval: daily
      time: '01:00'
    open-pull-requests-limit: 10
Enter fullscreen mode Exit fullscreen mode

This yml file will set a configuration to the dependabot:

  • It opens a pull request daily
  • With an interval time with 01:00
  • It has a max limit with 100
  • Every pull request from dependabot will result in a new notification for the owner repository

Workflows folder

Before creating the GitHub actions the workflows folder needs to be created if does not exist yet.

  • inside of .github create a new folder and name as workflows

Test GitHub action

important: this flow is responsible to run your application tests. So, it is expected a jest environment is already configured. If you don't have it yet it is a good time to start to write tests.

Let's create the GitHub action responsible to run all tests from the repository inside of each pull request opened.

  • inside of the workflows folder create a new file and name as test.yml
  • place the code below
name: tests

      - main
      - main

    runs-on: ubuntu-latest

      - uses: actions/checkout@v2
      - name: Setup Node.js
        uses: actions/setup-node@v2
          node-version: "14"
      - run: yarn
      - run: yarn jest
Enter fullscreen mode Exit fullscreen mode

This yml file will set a new action responsible to:

  • Run all tests inside of each pull request will be merged on main branch.
  • It will run the yarn command to install all dependencies.
  • Then will run yarn jest to run all tests.

Dependabot auto-merge GitHub action

Let's create the GitHub action responsible to merge automatically the pull requests opened by dependabot. When all checks are green this action will merge then automatically.

  • create a new file inside of workflows and name as auto-merge.yml
  • place the code below
name: auto-merge

      - main

    runs-on: ubuntu-latest
    if: == 'dependabot[bot]'
      - uses: ahmadnassri/action-dependabot-auto-merge@v2.4
          github-token: ${{ secrets.AUTOMERGE_TOKEN }}
          command: 'squash and merge'
          target: minor
Enter fullscreen mode Exit fullscreen mode

This yml file will set a new action responsible to:

  • When the pull request actor be 'dependabot[bot]'
  • It will use the ahmadnassri/action-dependabot-auto-merge@v2.4
  • It will run 'squash and merge' if the checks from pull request are green
  • Only for pull request updating dependencies from target minor
  • You don’t waste your time reviewing package dependencies notifications

The .github folder should look like this:
github folder print

Update these changes inside a new pull request and start to see the magic happens.

A print from the pull request list page on github

pull request detail github page print

This pull request from print above:

use this pull request as an example about how to implement this blog post

Welcome to the Automation

Now, your application already has new automation to help you with your daily tasks, and with the time that you need to invest doing them manually, you can start to invest in new things to your application.

Why automate

You need to write more tests to start to spend less time writing tests. You need to update the dependencies of your application daily otherwise you will have a legacy application sooner than you think.

Feel free to call my DM on Twitter if having any doubt or insight into this flow.

Support me on Patreon to help me with my opensource work.

Get into my discord to have mentorship for free about all of my content.

Top comments (7)

j9t profile image
Jens Oliver Meiert

Dependencies need automated managing. With the available tooling, there’s no excuse for outdated software.

Just a fan of these: Depfu is really nice for npm/Yarn, Bundler, and Hex projects. For enterprise contexts, Renovate may be most powerful. Personally, I prefer these over Dependabot.

codewander profile image

It's cool that you wrote this. I was pretty happy with dependabot on the last project that I used it for.

Currently, I am leaning towards renovatebot over the other options. I like that it can provide summaries of dependencies in a batch PR and that it also reports on community adoption levels of each package version in the summary.

emanuelferreira profile image
Emanuel Ferreira


mrdulin profile image
official_dulin • Edited

TLDR. I guess the solution is Dependabot + Github actions

andypiper profile image
Andy Piper

This is great. I use the Security tab -> Dependabot alerts setting when I set up a new repo, and it can be so useful. Thanks.

renatosugimoto profile image

Dependabot has been are part of the CICD tools for all my projects on the past 3 years.

italosantana profile image
Ítalo Santana

What a good article, Danilo. Thanks for sharing this content! <3