In this tutorial, you will learn how to use the GitHub dependency bot to make sure your packages stay up to date without breaking your code.
I will be showing you how to add versions to Python dependencies and how to set up Dependabot to run on your GitHub repository to make sure you always have the latest version in your requirements.txt. Dependabot will send Pull Requests to your repo whenever a package is out of date so you can easily check the changelog, test the new version, and update your requirements file with a single click.
The Dependabot configuration steps can be applied to dependencies of many types and in many languages including github-actions
, docker
, pip
(Python), npm
(JavaScript), composer
(PHP), and many others.
This article was originally a video tutorial, which you can check out here:
Make sure your packages have version numbers
When using a requirements.txt
in a Python project, version numbers are optional. If they are not provided, running the command to install the packages will always get the latest version of the package.
So why should we add version numbers?
It is very risky to install dependencies without specifying version numbers. Often times packages will receive updates that break or alter existing functionality and require the dependent to update their code to continue using the package. In the case of a new major release, your code may all of a sudden break just because you wrote it for a different version of a package you are using.
How do you add version numbers?
In your requirements.txt
, you can specify version numbers by appending ==
followed by the version to the package name. To find out what version of each package your are using, you can run pip freeze
in your terminal.
This is an example requirements.txt
with version numbers included:
Automatic updates with Dependabot
Step 1 - Click on Insights
Step 2 - Click "Dependency graph", then "Dependabot"
Step 3 - Enable Dependabot and create a config file
Make sure to insert the name of your package ecosystem on the line that is highlighted below. See this link for the list of possible options.
Step 4 - Push the configuration file to your main branch and wait for pull requests
Within a few minutes, you should start receiving PRs (possibly longer if you already have everything up to date ๐)
Reviewing Dependabot PRs
Here's what a Dependabot PR looks like:
It will give you details about the changes to the package and allow you run tests if that is applicable to your repo.
Once your code is tested and seems to be working with the new version, you can update your requirements by simply clicking "Merge Pull Request".
Whenever a change is made to the requirements, Dependabot will automatically rebase all of it's open PRs to ensure there are never any merge conflicts.
Conclusion
I hope you found this tutorial useful.
Check out the full video for further explanations and be sure to like and subscribe!
- Jonah Lawrence
Twitter: @DenverCoder1
YouTube: Jonah Lawrence - Dev Pro Tips
Discord server: https://discord.gg/fPrdqh3Zfu
Top comments (2)
Is there a way to have it only run CI Checks 1 by 1 and merge.. Rather than say 20 checks, merge 1, retrigger 19 checks, merge 1, retrigger 18 etc?
Would be nice to be able to reduce the CI time and cost.
Since the codebase changes when you merge a PR, the checks will run again in order to ensure it is compatible with the new version of the default branch.
To avoid this, you could either modify the CI to skip automatic checks when the author is dependabot, so you'll have to run it manually on each PR.
Or alternatively, you could try this workflow (or a similar one) that will group dependency PRs together into one, so you can merge them all at once.