DEV Community


Posted on

Knowledge of Merging Dependabot

I continue to merge dependabot for several years, so blog some knowledge.


There are three kinds of libraries, framework, normal library, development tool.

I tried to read all CHANGE-LOG and code diff for all pull request generated by dependabot.

My goal is understanding trends what kind of changes are made.

Diff List

Here is a list of the frequently changed.

  • add test
  • add CI configuration
  • update documents
  • fix naming
  • refactor code and fix arguments
  • add new feature

My project uses major libraries, so there is a lot of conservative chanages and security fix.
refactor code and fix arguments will create a bug, so you should read CHANGE-LOG carefully.

In Framework Case

Like Rails, Laravel.

We MUST update after reading RELEASE-NOTE.

When minor updates (e.g.: ver5.1ver5.2), we don't need to be nervous.

When major updates (e.g.: ver5.5ver6), it needs to verify enough in a staging environment.
Nevertheless, there are a few bugs, so we need to verify and verify and verify.

It's easy to verify if there are static analysis or test codes.

In Normal Case

Like Faraday, Devise.

If there are no breaking changes, you can merge immediately.
In my case, there are no problems.

It's the same as framework case, you should add static analysis or test codes.

In Development Tool

Like Rubocop, EsLint.

You can merge without thinking.
We should add CI configuration tightly.

In Rubocop case, config format change frequently, so we should update regularly.


It's important to do the obvious thing.
It's hard to update library version, so we should do regularly.

Top comments (0)