Keeping your dependencies updated is one of the easiest ways to keep the software you build secure. Unfortunately, it is also one of the most overlooked.
Luckily for us, GitHub Dependabot can help with this, by updating your dependencies automatically, so you can spend less time updating dependencies and more time building.
Let's quickly see how Dependabot works and then we'll see how to enable and use it.
First step, Dependabot pulls down your dependency files and looks for any outdated or insecure requirements.
Then, if any of your dependencies are out-of-date, Dependabot opens individual pull requests to update each of them.
Finally, you can check that your tests pass, scan the included changelog and release notes, and if everything looks ok, merge the changes back to your code.
Enabling Dependabot is really easy.
First, fo to the Security tab of your repository, then click on the Enable Dependabot Alerts button.
At this point another screen will appear:
The first button you have to click on to enable Dependabot on your repository is the one I've highlighted in red. And technically this is all you need to have Dependabot enabled and look for vulnerabilities.
However, we want to take this a step further.
If you click on the other button, the one highlighted in green, Dependabot will be able to automatically create pull requests for you to fix your vulnerable dependencies!
This is what we want, don't we? 👴🏻
Alright, enough talking... let's see this in practice.
Let me know in the comment section below if you want to see more about Dependabot or if you have any questions about it.
Also you may want to check out this video here, where I talk about GitHub Code Scanning (which complements Dependabot in many ways).
Like, share and follow me 🚀 for more content: