When you are maintaining a codebase it becomes hard to keep track and update the dependencies installed in your app.
While it's important to keep things up to date, it's also a huge pain. Checking for updates, make sure nothing is breaking, etc. That's where Dependabot comes to help us, it automatically creates pull requests that we can review and test and, if it's all good, merge an update our dependencies.
Github users might already know Dependabot for its security updates, but it can do way more than that. The goal of this post is to setup Dependabot in a way where it keeps track of version updates so you can update your packages on a regular basis.
Why?
Keeping your dependencies updated is generally a good thing, there might be people that have a different approach, if ain't broke don't fix it kind of thing. But packages get better and improve as they get updates (or at least they should). You might get stuck with a bug that is solved in a new version, or never enjoy the performances improvements that updates bring.
When?
Only do this for projects/apps/boilerplates that you are actively maintaining. Setting up Dependabot for a weekend project or something similar will only be an annoyance as Dependabot will spam pull requests in this repository that you don't even use FOREVER, or until you turn it off I guess.
Important Note
Always take time to check and test the pull requests Dependabot creates. Read the changelog, look for any breaking changes that might be announced and if the package is widely used in your app, it's always good to run the branch and test to make everything still works fine in the new version.
Also, don't blame me if you break production, blame Dependabot, or yourself, or the fact that you don't have tests.
Setting up Dependabot
Setting up Dependabot is actually really easy and simple.
In the root folder of your repository, if you don't already have it, create a
.github
folder.Inside the
.github
folder, create a file calleddependabot.yml
, for this example I am usingnpm
as my package ecosystem. Inside the file copy the following content.
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
So what's going on here, This configuration file tells Dependabot the kind of dependency you want to update (package-ecosystem
), where the dependency manifest is located (directory
), in our case the package.json
file, and how often you want Dependabot to look for updates (schedule
).
And that's it, you are done. Once you push these changes to github, Dependabot will fire up and start making pull request, don't worry if you think you have a lot of outdated dependencies, there is a limit of how many pull requests it can open at the time that you can configure (5 by default) so you won't get flooded with pull requests.
Now you should see something like this
A Dependabot pull request, looks like this.
The changelog should list all the changes, fixes, improvements, etc. Always take a look to make sure what's new and if there are any breaking changes. If your dependencies are really outdated you might have to look more deeper into past changelogs and test the branch thoroughly. Once again, always test, or better yet, have tests.
Voila!
Now Dependabot will annoy you forever!
Just kidding, this is actually good if you can manage it.
Thank you for reading and if you found this post helpful please like and share :)
Top comments (2)
Excellent point!
I forgot to mention the Dependabot commands.