DEV Community

Yuan-Hsi Lee
Yuan-Hsi Lee

Posted on

Automatically Update Dependencies

This week, I was working with automatically updating dependencies for projects. Well-maintained packages release new versions frequently, in order to get more features, bug fixing, and improvement in general, we usually want our project to have the latest version of packages. However, it is overwhelming when you have hundreds of packages to update.

In GitHub, there is a tool called dependabot. It is like a robot helping you find out any security vulnerability. Moreover, it can also help you to update the outdated packages with proper configuration.

Telescope had a dependabot for sending PRs when there is a security vulnerability. But, it didn't send PRs when there are outdated packages.

A team member Anton wants to add this feature for our project, to have automatically generated PRs when there is any outdated packages. I'm also interested in this, therefore, we had a discussion about how we can apply this feature to our repo.

Professor Dave mentioned one tool called Renovate, which is a very similar tool like GitHub's dependabot. Therefore, we decided that Anton try dependabot on his GitHub repo; and I try Renovate on my Github repo.

We came up with couples of basic requirements for this automatically sending PR for outdated dependency thing.

  1. Able to set schedule (e.g. daily, weekly; and specific time or time range) and proper time zone
  2. Auto-assign reviewers
  3. Format commit message

And some nice-to-have but not mandatory features,

  1. Auto-merge PRs for patch (e.g. 4.8.4 to 4.8.8)
  2. Specify GitHub labels to PRs

Renovate bot is able to do every thing on this list. It is also very configurable. After install renovate through GitHub application, renovate bot will send a PR in order to merge a renovate.json file to your repo. This file is where you configure the automation bot setting. The default one looks like this,

  "extends": [
Enter fullscreen mode Exit fullscreen mode

The default setting will scan through your repo, finding out every package files, not just to root! For example, in our telescope project, there are more than one package files hold our current version of dependencies; and renovate is able to find all the file.
alt text

To change the default setting, renovate provides lots of configuration options. I change my renovate.json to something like this,

  "extends": ["config:base"],
  "timezone": "Canada/Eastern",
  "schedule": ["after 7am before 9pm every weekday"],
  "reviewers": [
    "team: Seneca-CDOT/Winter-2021-Telescope"
  "npm": {
    "packageRules": [
        "matchUpdateTypes": ["minor", "patch"],
        "schedule": ["after 7am before 9pm"],
        "automerge": true
Enter fullscreen mode Exit fullscreen mode

As you can see, renovate has the configuration to set time zone, arrange schedule, and assign PR reviewers (can assign to individual github username or team name). Moreover, we can specify which type of package file (e.g. npm or docker) that we want to make special schedule or features like auto-merge; the type of package update (major, minor, or patch) can be configured as well.

Comparing with GitHub dependabot, they can both meet our requirements. Auto-merge is a bit of complicated in dependabot, but still doable. However, after discussing with team, we don't need auto merge feature for now (still manually testing all updates no matter its type). We decided to go with GitHub dependabot since it has all the feature we need, and it's integrate with GitHub.

This is my first time working with something like auto-bot and I honestly do enjoy it. I'm thinking about learning more in this field. Thanks the team and Anton for giving me this chance to know something cool!

Top comments (0)