How-to Keep Your Packages Always Up-to-date with Dependabot
Minh-Phuc Tran on Jan 15, 2021
One of the ways that I do to keep myself up-to-date with the latest technologies is to configure automatic dependencies upgrade, which helps in 2 ways:
Keep my products/packages always up-to-date, especially avoid potential vulnerability as soon as possible.
Remind me of the technologies I'm using that have introduced new features or bug fixes. I can quickly look at it and learn what is newly possible.
In this article, I'll walk you through how I did it very easily and conveniently.
Last Sunday, there were quite a few packages updated in my products.
Dependabot is a Github bot that automatically tracks and opens PRs to update dependencies for you. It used to be a separate product but was acquired by Github in 2020 and became available completely for free .
To configure it, you need just a couple of lines of code:
Create a file
.github/dependabot.ymlin your repository.
Add some configuration to instruct Dependabot what to update:
version: 2 updates: - package-ecosystem: npm directory: / schedule: interval: weekly - package-ecosystem: github-actions directory: / schedule: interval: weekly
Dependabot supports a lot of different package ecosystem including npm, Python, Go, Rust, Maven, Docker, etc, and also Github Actions recently. Check out more here.
You can configure Dependabot to update daily, weekly, or at another specific interval. My experience with weekly updates is the best so far.
After commiting your
dependabot.yml to your repository, Dependabot will help you update packages by opening PRs, which you can accept or reject. By receiving updates via PRs, you get a chance to make sure that all your tests/checks are passed before promoting to your live distribution.
Dependabot is also intelligent enough to automatically rebase PRs when you pushed new changes to
master (or whatever branch you configured), so you don't always have to review and merge it right away. In fact, I often ignore it until late in the day, when my energy level is the lowest, then I review one or several of them.
One little tip that I often do especially for an open-source package is to put a badge letting the users know that this package is configured to be automatically up-to-date.
That's it. Dependabot has been super convenient for me, especially for open-source packages that I've done implementing and don't want to think about maintaining its dependencies. I hope it will benefit you, too!