Back

Automate that Dependency with dependabot

The hell with dependencies

No project is written by one person or one team alone, each and every project is full of dependencies. Some of that you have written and many written by others are present in your project(s) in a typical scenario. Even the frameworks that you use are a bunch of dependencies/libraries wired together. for the sake of this article I will interchangeably use the word dependency and libraries

Keeping track of these libraries and their updates are no easy task. Many come with breaking changes and some of those are security updates. Getting connected with every maintainer's twitter handle of every dependency that you use are not a practical solution. There needs to be a way to handle this shizzle.

Otherwise, couple months later you are deadlocked with a bunch of dependencies that are in no shape to maintain. Or even it maybe just waiting for an attacker to find your project and try an exploit on the compromised library that you use.

Well, me and you are not alone in this situation, lucky for us somebody has found a way to automate this for us.

Announcing Dependabot.

Dependabot is a tool from Github, it was acquired by them some time ago. Dependabot opens pull request for every one of your dependencies. it supports almost all the language/package ecosystems. You can find a list of supported ecosystems here.

dependabot can also scan private registries in case if you have them privately hosted or have an on premise system. Dependabot can also send alerts for any security updates. Dependabot is also free to use if you are only using public registries, but available with enterprise plan if your repositories are privately hosted.

Let's look at how to use dependabot and how to configure dependabot for some common use cases. At the end of this article there are also some alternatives to dependabot if you don't like him.

Enabling dependabot for your repository

Dependabot works per repository hence you need to enable them for each repository that you want updates. You can do that for your repository under the Settings section in GitHub.

Activating Dependabot

Once you do that, dependabot will start opening pull requests for each dependency for their respective latest versions. Dependabot Pull Requests

if you have a project with a sizeable number of dependencies, then the amount of pull requests maybe overwhelming or annoying. So, let's look at how we can configure dependencies that will help us to manage them.

Configuring dependabot

like many of the GitHub features, Dependabot can be configured using a yaml config file, aptly named dependabot.yaml. This file should be inside your .github directory in your project root. So the path to the config file is .github/dependabot.yaml. let's look at a sample config file and examine it

.github/dependabot.yaml
version: 2
updates:
  - package-ecosystem: "npm" 
    directory: "/" # basically says that the package.json (since it's an npm project) lives under root

This config instructs dependabot to open pull requests for your javascript dependencies. also it tells dependabot where to look for the package manifest.

This configuration tells dependabot to open pull requests whenever an update is available for your project. But this maybe not ideal in every use case.

Scheduling Dependabot

Let's say you have 20 dependencies and maybe 10 to 12 of them have regular updates. That means sporadically there will be pull requests clogging your repository PR dashboard, also emails and other notifications from GitHub too. That's not fun when you are trying to get some work done. It becomes painful especially if you are using a frequently updated library like aws-sdk, they have multiple releases per week.

One approach that could help in this case is to schedule the dependabot to run on specific intervals.

.github/dependabot.yaml
  version: 2
  updates:
    - package-ecosystem: "npm" 
      directory: "/"
      schedule:
        interval: weekly
        day: monday
        time: "08:00"
        timezone: "Europe/Berlin"

The above config instructs dependabot to run on every monday at 8am in Europe/Berlin timezone. Now you will be getting updates every week. You could set this to a day which suits your work schedule. For example every sprint cycle.

More comprehensive schedules can be configured according your needs, more information can be found here

Multiple package ecosystems

If your project is managed in mono repo or if you are keeping your front end and backend code together in the same repository, then you can configure dependabot to open pull requests to both.

In case of a php backend and javascript frontend together in a repository, the following config will open pull requests for both php and javascript dependencies.

.github/dependabot.yaml
  version: 2
  updates:
    - package-ecosystem: composer
      directory: "/backend" # or / in case composer.json is in the root dir
    - package-ecosystem: npm
      directory: "/frontend"

See the list of all supported package ecosystems here

Note that I have omitted the schedule and other configuration for the sake of simplicity, but you can add them as needed.

There is more

You could do a lot more with dependabot configurations. like

  • Assign a person to the pull request
  • Apply labels
  • Limit pull requests
  • Ignore specific packages
  • Group certain dependencies
  • Allow specific types of dependencies
    • for example dev dependencies only
  • Customize the commit messages
  • etc...

Read the GitHub documentation here to get more ideas.

Alternatives to Dependabot

Obviously, not everyone is using GitHub. Or maybe you don't want to pay for Enterprise subscription to use your custom package registry. Or maybe you don't like dependabot scanning your codebase. There are a number of players in this field, most of them are opensource with premium hosted offerings or comes with Enterprise licences.

Renovate Bot - https://docs.renovatebot.com

Just like Dependabot, Renovatebot can open pull requests to your repository. It can be configured using a file at your project root called renovate.json. Renovatebot can be Self Hosted also they have an Enterprise option called (mend.io)https://www.mend.io/renovate/. More information at their documentation here

Depfu - https://docs.depfu.com

Similar functionality, but Depfu at this stage is not big as Renovatebot or Dependabot, but definitely something to keep an eye out for

Snyk - https://snyk.io/

Snyk cares more on the security of your code, although it comes with some functionalities of dependabot,(keeping upto date is part of security! Duh!!). Snyk can scan your codebase for security issues and open pull requests against those.

Follow me on Twitter and find me on LinkedIn to keep updated.

Also find my Github profile: https://github.com/ppshobi