Using Dependabot for automated dependency updates
Imagine starting your day realising that someone found an outdated dependency in your project, upgraded it, opened a pull request with a detailed description and the test suite had already been run. All that was left was for you to do is carry out a code review and hit that merge button! That someone is Dependabot.
Why keep your dependencies up to date?
It is very important to keep your project’s dependencies up to date for 2 reasons:
- The latest version is usually the best one (new features, better security, improved performance and bug fixes)
- Iterative improvements are better than big-bang changes
Plus it is really satisfying when the project is up to date.
How to keep your dependencies up to date
One way would be to regularly ask your package manager to list out all the outdated dependencies. Upgrade them one by one, by checking the changelogs and then opening pull requests for each of them.
The better way is to have Dependabot doing all of that work for you. Dependabot pulls down your dependency files and looks for any outdated or insecure packages. It then opens individual pull requests to update each outdated/insecure dependency, with the changelog and release notes for each pull request and the test suite already executed, leaving just a review for you to do before hitting merge. That seemed like such a good idea to us here at Talis, that we’ve implemented this approach across many of our repositories.
Simply jump on the Dependabot app in Github marketplace and set up a plan (don’t worry, it’s free!). Then you will get a nice dashboard to configure Dependabot settings. At Talis we are using a configuration file placed in the root of the repo
.dependabot/config.yml for Dependabot configurations.
Dependabot has a lot of configuration options. Some of the important and useful ones are
- package_manager: What package manager to use
- update_schedule: How often to check for updates
- default_reviewers: Reviewers to set on pull requests
- allowed_updates: Limit which updates to allow e.g security updates only, top level dependencies only
- version_requirment_updates: How to update your package manifest (e.g. package.json, Gemfile etc)
These options can be configured per repo. You can find all the options here.
Then there are some account level settings in the Dependabot app which are applied on all the repos. Some of the important ones are:
- Automatically rebase PRs: We have that turned off, as we do not want Dependabot kicking off new builds all the time
- PRs rate limit: Limit of initial pull requests created for new projects. It’s a good idea to tweak this before adding Dependabot to any repo, so you aren’t overloaded by pull requests
This is what a PR created by Dependabot looks like:
The PR includes a very pretty description of the changes included. Dependabot also aggregates everyone’s test results into a compatibility score, so you can be certain a dependency update is backwards compatible and bug-free. There are also some commands which can be used to perform certain actions on the PR e.g rebase, recreate.
Dependabot and Github Security Alerts
Github also uses Dependabot with their security alerts. You get a “Create automated security fix” against an alert in the security tab of your repo, which uses Dependabot to create a PR to upgrade the insecure dependency.
This comes with some caveats at the time of writing this:
- Creating an automated security fix from this section does not pick up the configurations you have defined in your repo for Dependabot
- Github security alerts doesn’t seem to notify about sub-level dependencies for
npm-shrinkwrap.json, whereas Dependabot does
To conclude, if you would like to automate your dependency updates, Dependabot is for you. And yes, we are on the right path to be taken over by bots.