DEV Community

wolfiton
wolfiton

Posted on

Github bot @dependabot fixes security vulnerabilities

Hi everyone,

Today I want to write about @dependabot, Github's automatic dependency bot updater that will keep your project dependencies up to date.

It works with all the popular languages like:

  • ruby
  • java
  • python
  • javascript
  • rust
  • elixir

You can find here Dear Reader all the languages that are currently supported dependabot languages.

I had one project with the version of acorn 5.7.3 in a Vue project(not a Vue project, An old Phoneix project) and @dependabot automatically updated my acorn to 5.7.4.

This is how the operation for the update looks like(view the picture below)

Alt Text

Thanks to @rob 's comment let's add more context to what @dependabot is doing:

First I also merged that PR and the result can be seen in the picture below.

Alt Text

As we can see @rob was right Github deleted our package-lock.json file and added a new dependency to it.

So to really update our project we will have to make a new commit after running yarn upgrade or npm update.

@Dependabot can also be used manually using the @dependabot rebase command.

Well, this is all well and good Wolfiton, but how much does it cost?

The good news Dear Reader comes from Github that just bought @dependabot and it's free of charge.

So you can start using it today in all your projects and even automate it to run on scheduled times or on a commit.

Pretty handy right?

What do you think Dear Reader, will you use @dependabot rebase to keep your projects secure?

I hope you enjoyed the article, Dear Reader.

If you also find it useful, share it on social.

Credits:

https://dependabot.com/

Thanks, @rob for your comment and experience with @dependabot

Top comments (5)

Collapse
 
jankapunkt profile image
Jan Küster

I like this automation of version bumps but I'd really like to have it update the top-level dependant. In most cases the vulnerable packages are not the ones in the top level but x-levels deep. However, at the time the fixes are available through the bots, they are often fixed in the top level dependencies so ultimately I will update them anyway next time. Has anyone experience with configuring a bot to behave in this way?

Collapse
 
jankapunkt profile image
Jan Küster

Okay I just realized, that's actually exactly what Greenkeeper or david-dm do :-)

Collapse
 
sharadcodes profile image
Sharad Raj (He/Him)

I had similar experience with my jekyll theme with gem versions

Collapse
 
wolfiton profile image
wolfiton • Edited

Thanks @ryanwestlund for sharing your opinion on @dependabot. What has impressed you the most regarding @dependabot?

The automation? the muli language support?

Collapse
 
wolfiton profile image
wolfiton • Edited

Interesting @rob I haven't pushed the PR yet.

Thanks for the explanation and your experience with @dependabot.