Today I want to write about
@dependabot, Github's automatic dependency bot updater that will keep your project dependencies up to date.
It works with all the popular languages like:
You can find here Dear Reader all the languages that are currently supported dependabot languages.
I had one project with the version of acorn 5.7.3 in a Vue project(not a Vue project, An old Phoneix project) and
@dependabot automatically updated my acorn to 5.7.4.
This is how the operation for the update looks like(view the picture below)
Thanks to @rob 's comment let's add more context to what @dependabot is doing:
First I also merged that PR and the result can be seen in the picture below.
As we can see @rob was right Github deleted our package-lock.json file and added a new dependency to it.
So to really update our project we will have to make a new commit after running
yarn upgrade or
@Dependabot can also be used manually using the
@dependabot rebase command.
Well, this is all well and good Wolfiton, but how much does it cost?
The good news Dear Reader comes from Github that just bought
@dependabot and it's free of charge.
So you can start using it today in all your projects and even automate it to run on scheduled times or on a commit.
Pretty handy right?
What do you think Dear Reader, will you use
@dependabot rebase to keep your projects secure?
I hope you enjoyed the article, Dear Reader.
If you also find it useful, share it on social.
Thanks, @rob for your comment and experience with @dependabot