DEV Community

Cover image for Keep your dependencies up to date with Dependabot
Ivan
Ivan

Posted on • Updated on

Keep your dependencies up to date with Dependabot

When you are maintaining a codebase it becomes hard to keep track and update the dependencies installed in your app.

While it's important to keep things up to date, it's also a huge pain. Checking for updates, make sure nothing is breaking, etc. That's where Dependabot comes to help us, it automatically creates pull requests that we can review and test and, if it's all good, merge an update our dependencies.

Github users might already know Dependabot for its security updates, but it can do way more than that. The goal of this post is to setup Dependabot in a way where it keeps track of version updates so you can update your packages on a regular basis.

Why?

Keeping your dependencies updated is generally a good thing, there might be people that have a different approach, if ain't broke don't fix it kind of thing. But packages get better and improve as they get updates (or at least they should). You might get stuck with a bug that is solved in a new version, or never enjoy the performances improvements that updates bring.

When?

Only do this for projects/apps/boilerplates that you are actively maintaining. Setting up Dependabot for a weekend project or something similar will only be an annoyance as Dependabot will spam pull requests in this repository that you don't even use FOREVER, or until you turn it off I guess.

Important Note

Always take time to check and test the pull requests Dependabot creates. Read the changelog, look for any breaking changes that might be announced and if the package is widely used in your app, it's always good to run the branch and test to make everything still works fine in the new version.
Also, don't blame me if you break production, blame Dependabot, or yourself, or the fact that you don't have tests.

Setting up Dependabot

Setting up Dependabot is actually really easy and simple.

  • In the root folder of your repository, if you don't already have it, create a .github folder.

  • Inside the .github folder, create a file called dependabot.yml, for this example I am using npm as my package ecosystem. Inside the file copy the following content.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

So what's going on here, This configuration file tells Dependabot the kind of dependency you want to update (package-ecosystem), where the dependency manifest is located (directory), in our case the package.json file, and how often you want Dependabot to look for updates (schedule).

And that's it, you are done. Once you push these changes to github, Dependabot will fire up and start making pull request, don't worry if you think you have a lot of outdated dependencies, there is a limit of how many pull requests it can open at the time that you can configure (5 by default) so you won't get flooded with pull requests.

Now you should see something like this

Screen Shot 2021-12-23 at 10.50.20 PM.png

A Dependabot pull request, looks like this.
Screen Shot 2021-12-23 at 11.33.05 PM.png

The changelog should list all the changes, fixes, improvements, etc. Always take a look to make sure what's new and if there are any breaking changes. If your dependencies are really outdated you might have to look more deeper into past changelogs and test the branch thoroughly. Once again, always test, or better yet, have tests.

Voila!
Now Dependabot will annoy you forever!
Just kidding, this is actually good if you can manage it.

Thank you for reading and if you found this post helpful please like and share :)

Discussion (2)

Collapse
jmau111 profile image
Julien Maury

great post, also commands such as @dependabot rebase are pretty efficient as long as you test the final result after the merge.

Collapse
ivanms1 profile image
Ivan Author

Excellent point!
I forgot to mention the Dependabot commands.