Basic concepts
What is Dependabot?
Dependabot automates dependencies management and supply chain security for free.
With a simple dependabot.yml file in your repository and a few lines inside, you can automatically raise pull requests to keep your dependencies up-to-date.
This is major in terms of security, as supply chain attacks are rising these days.
Is it only for GitHub?
Yes. Microsoft (GitHub) acquired the company some time ago.
What is GitHub Advisory Database?
It's the main database that Dependabot uses to learn about security vulnerabilities.
How can I enable Dependabot?
Go to YOUR_REPO/settings/security_analysis. You get a dedicated page "Code security and analysis" where you can enable Dependabot's features.
Where do I put the configuration file?
On GitHub, you can create the file here: /.github/dependabot.yml.
Getting started with dependabot.yml
Here is a very basic example to handle npm dependencies:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
Don't forget the version parameter!
Is it for public packages only?
No. You can add a registries section containing authentication details to the dependabot.yml file:
version: 2
registries:
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
username: my_username
password: ${{secrets.MY_NPM_PASSWORD}}
updates:
- package-ecosystem: "npm" # could be "bundler", pip", "docker", "composer", etc @see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
directory: "/"
schedule:
interval: "weekly"
Schedule interval
The schedule interval is a required setting and probably one of the most critical ones as it determines the cycle of updates and PRs.
I really appreciate the possibility to delay updates because you don't have infinite time to allocate to each repository. There are different options:
- daily
- weekly
- monthly
You can add schedule.day if you choose weekly to start the cycle on some day other than Monday:
schedule:
interval: "weekly"
day: "friday"
You can even add a specific time:
schedule:
interval: "weekly"
day: "friday"
time: "10:01" #10:01am UTC
If you don't want to use UTC, you can specify a timezone:
schedule:
interval: "weekly"
day: "friday"
time: "10:01"
timezone: "Europe/Vatican"
Custom labels
The default label for all PRs is "dependencies" by default, but you might want to customize that, especially when you handle multiple packages ecosystems:
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
labels: "npm-dependencies"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
labels:
- "docker-dependencies"
It's also great to keep things organized. Note that you can use several labels for each package ecosystem.
Target branches
You can use the target-branch parameter to prevent Dependabot from raising PRs only on the default branch. Note that you can add a custom branch per each package ecosystem:
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
labels: "npm-dependencies"
target-branch: "trunk"
Available packages ecosystems
Helpful commands
| Command | Description |
|---|---|
@dependabot cancel merge |
cancel a merge |
@dependabot close |
close the PR and Dependabot will not recreate the same PR |
@dependabot ignore |
close the PR and stop depdendabot on this repository |
@dependabot ignore this major version |
close the PR and Dependabot will not recreate PRs for this major version |
@dependabot ignore this minor version |
close the PR and Dependabot will not recreate PRs for this minor version |
@dependabot merge |
merge the pull after CI tests |
@dependabot rebase |
rebase the PR |
@dependabot recreate |
force recreate the PR |
@dependabot reopen |
reopen the closed PR |
@dependabot squash and merge |
squash and merge after CI tests |
You can "talk" with the bot by commenting the PR with special commands, which can save a lot of time. For example, I often use the @dependabot rebase command to resolve merge conflicts between several PRs that update the same dependencies.
It's quite often enough to proceed!
Things to know and errors to avoid
Dependabot is fantastic but be aware of potential mistakes:
- Don't merge PRs blindly, as you might break your app
- Add a CI server whenever you can, especially for live production apps
- Dependabot does not automatically warn of absolutely everything, keep some monitoring
- Enabling Dependabot grants read-only permission to GitHub for analysis purpose
- Dependabot may have some issues when trying to read your dependency file, so check it carefully
- PRs' reviews should be done by several members of the team, not just one person
- Remove unused dependencies
More advanced usages
Dependabot is pretty straightforward but you might need more advanced usages.
open-pull-requests-limit
By default, Dependabot cannot open more than 5 PRs at the same time, but you can change this setting per each package ecosystem:
version: 2
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 12
How to disable PRs for a specific package ecosystem
You may set the open pull requests limit to 0:
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
labels: "npm-dependencies"
open-pull-requests-limit: 0 # 0 will disable PRs
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
labels:
- "docker-dependencies"
open-pull-requests-limit: 12
Auto merges
It's possible to connect Dependabot to scheduled actions for automatic merges. While it's not something I would recommend, you might beg to differ. Here's a nice introduction.
versioning-strategy
The versioning-strategy parameter can be helpful to change the default strategy according to the package manager.
For example, you might want to increase the version with Composer dependencies only when it's required. In such case, you can do:
version: 2
updates:
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
versioning-strategy: increase-if-necessary
Dependency Graph
Go to YOUR_REPO/network/dependencies to get an overview of all your dependencies. There's even a tab called "Dependents" where you can list repositories that depend on your repository.
Top comments (0)