DEV Community

Minh-Phuc Tran
Minh-Phuc Tran

Posted on • Originally published at

How-to Keep Your Packages Always Up-to-date with Dependabot

One of the ways that I do to keep myself up-to-date with the latest technologies is to configure automatic dependencies upgrade, which helps in 2 ways:

  • Keep my products/packages always up-to-date, especially avoid potential vulnerability as soon as possible.

  • Remind me of the technologies I'm using that have introduced new features or bug fixes. I can quickly look at it and learn what is newly possible.

In this article, I'll walk you through how I did it very easily and conveniently.

Last Sunday, there were quite a few packages updated in my products.

Screen Shot


Dependabot is a Github bot that automatically tracks and opens PRs to update dependencies for you. It used to be a separate product but was acquired by Github in 2020 and became available completely for free 🤯.

Basic configuration

To configure it, you need just a couple of lines of code:

  • Create a file .github/dependabot.yml in your repository.

  • Add some configuration to instruct Dependabot what to update:

version: 2

  - package-ecosystem: npm
    directory: /
      interval: weekly
  - package-ecosystem: github-actions
    directory: /
      interval: weekly
Enter fullscreen mode Exit fullscreen mode

Dependabot supports a lot of different package ecosystem including npm, Python, Go, Rust, Maven, Docker, etc, and also Github Actions recently. Check out more here.


You can configure Dependabot to update daily, weekly, or at another specific interval. My experience with weekly updates is the best so far.


After commiting your dependabot.yml to your repository, Dependabot will help you update packages by opening PRs, which you can accept or reject. By receiving updates via PRs, you get a chance to make sure that all your tests/checks are passed before promoting to your live distribution.

Screen Shot

Dependabot is also intelligent enough to automatically rebase PRs when you pushed new changes to master (or whatever branch you configured), so you don't always have to review and merge it right away. In fact, I often ignore it until late in the day, when my energy level is the lowest, then I review one or several of them.


One little tip that I often do especially for an open-source package is to put a badge letting the users know that this package is configured to be automatically up-to-date.

![dependabot status](
Enter fullscreen mode Exit fullscreen mode

dependabot status

That's it. Dependabot has been super convenient for me, especially for open-source packages that I've done implementing and don't want to think about maintaining its dependencies. I hope it will benefit you, too!

Top comments (0)