DEV Community

loading...
Cover image for Keeping your dependencies updated automatically with Dependabot

Keeping your dependencies updated automatically with Dependabot

Jonah Lawrence
💻 Full Stack Developer 🐦Twitter · @DenverCoder1 📺 YouTube · Dev Pro Tips
Originally published at jonahlawrence.hashnode.dev ・3 min read

In this tutorial, you will learn how to use the GitHub dependency bot to make sure your packages stay up to date without breaking your code.

I will be showing you how to add versions to Python dependencies and how to set up Dependabot to run on your GitHub repository to make sure you always have the latest version in your requirements.txt. Dependabot will send Pull Requests to your repo whenever a package is out of date so you can easily check the changelog, test the new version, and update your requirements file with a single click.

The Dependabot configuration steps can be applied to dependencies of many types and in many languages including github-actions, docker, pip (Python), npm (JavaScript), composer (PHP), and many others.

This article was originally a video tutorial, which you can check out here:

Make sure your packages have version numbers

When using a requirements.txt in a Python project, version numbers are optional. If they are not provided, running the command to install the packages will always get the latest version of the package.

So why should we add version numbers?

It is very risky to install dependencies without specifying version numbers. Often times packages will receive updates that break or alter existing functionality and require the dependent to update their code to continue using the package. In the case of a new major release, your code may all of a sudden break just because you wrote it for a different version of a package you are using.

How do you add version numbers?

In your requirements.txt, you can specify version numbers by appending == followed by the version to the package name. To find out what version of each package your are using, you can run pip freeze in your terminal.

pip freeze

This is an example requirements.txt with version numbers included:

image

Automatic updates with Dependabot

Step 1 - Click on Insights

image

Step 2 - Click "Dependency graph", then "Dependabot"

image

Step 3 - Enable Dependabot and create a config file

Make sure to insert the name of your package ecosystem on the line that is highlighted below. See this link for the list of possible options.

image

Step 4 - Push the configuration file to your main branch and wait for pull requests

Within a few minutes, you should start receiving PRs (possibly longer if you already have everything up to date 😄)

Reviewing Dependabot PRs

Here's what a Dependabot PR looks like:

image

It will give you details about the changes to the package and allow you run tests if that is applicable to your repo.

Once your code is tested and seems to be working with the new version, you can update your requirements by simply clicking "Merge Pull Request".

Whenever a change is made to the requirements, Dependabot will automatically rebase all of it's open PRs to ensure there are never any merge conflicts.

Conclusion

I hope you found this tutorial useful.

Check out the full video for further explanations and be sure to like and subscribe!

- Jonah Lawrence

Twitter: @DenverCoder1

YouTube: Jonah Lawrence - Dev Pro Tips

Discord server: https://discord.gg/fPrdqh3Zfu

Discussion (2)

Collapse
tonydehnke profile image
Tony Dehnke

Is there a way to have it only run CI Checks 1 by 1 and merge.. Rather than say 20 checks, merge 1, retrigger 19 checks, merge 1, retrigger 18 etc?

Would be nice to be able to reduce the CI time and cost.

Collapse
denvercoder1 profile image
Jonah Lawrence Author

Since the codebase changes when you merge a PR, the checks will run again in order to ensure it is compatible with the new version of the default branch.

To avoid this, you could either modify the CI to skip automatic checks when the author is dependabot, so you'll have to run it manually on each PR.

Or alternatively, you could try this workflow (or a similar one) that will group dependency PRs together into one, so you can merge them all at once.