DEV Community

Tom
Tom

Posted on

2

Dependabot needs a workflow too

Modern JavaScript projects tend to have a lot of external dependencies. It's important to keep those dependencies up to date. Dependabot is a great help in this. However, using Dependabot comes with new challenges:

  • If your project has a lot of dependencies, Dependabot is creating new PR's on a daily basis. Who's responsible for dealing with them?
  • Can we automatically merge PR's created by Dependabot or should we test them (locally)?

Our team came to the conclusion that Dependabot indeed helps us keeping the dependencies up to date, but that's not enough: Dependabot needs a workflow too. This is how we do it:

  • A developer who is creating a new PR, should at the same time have a look at the existing open PR's, including the PR's opened by dependabot.
  • We automatically merge patch PR's.
  • Patch update, but failing tests? Checkout locally, check why tests are failing, fix, push and merge.
  • Minor update and dev-dependency (and tests are green)? Just merge.
  • All other type of PR's: checkout locally and test.

Notes:

  • If there are 5 open dependabot PR's, it's not your responsibility to tackle them all. Just review 1 or 2, and leave the rest to the next developer.
  • If Dependabot keeps on creating the maximum number of PR's several days in a row, we sometimes just run npm-check update to test and update a bunch of packages at the same time. (This is basically the workflow of projects without dependabot and the problem with that approach was that actually nobody was updating the dependencies at all.)

Keep your dependencies up to date, but share the burden across your team.

Happy updating!

Postmark Image

Speedy emails, satisfied customers

Are delayed transactional emails costing you user satisfaction? Postmark delivers your emails almost instantly, keeping your customers happy and connected.

Sign up

Top comments (2)

Collapse
 
jpoehnelt profile image
Justin Poehnelt

No need for a GitHub action to automatically merge, can use a really simple GitHub workflow using the GitHub cli: dev.to/jpoehnelt/automatically-app...

Collapse
 
ludder profile image
Tom

Nice, thanks for the update!

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay