No project is written by one person or one team alone, each and every project is full of dependencies. Some of that you have written and many written by others are present in your project(s) in a typical scenario. Even the frameworks that you use are a bunch of dependencies/libraries wired together. for the sake of this article I will interchangeably use the word dependency and libraries
Keeping track of these libraries and their updates are no easy task. Many come with breaking changes and some of those are security updates. Getting connected with every maintainer's twitter handle of every dependency that you use are not a practical solution. There needs to be a way to handle this shizzle.
Otherwise, couple months later you are deadlocked with a bunch of dependencies that are in no shape to maintain. Or even it maybe just waiting for an attacker to find your project and try an exploit on the compromised library that you use.
Well, me and you are not alone in this situation, lucky for us somebody has found a way to automate this for us.
Dependabot is a tool from Github, it was acquired by them some time ago. Dependabot opens pull request for every one of your dependencies. it supports almost all the language/package ecosystems. You can find a list of supported ecosystems here.
dependabot can also scan private registries in case if you have them privately hosted or have an on premise system. Dependabot can also send alerts for any security updates. Dependabot is also free to use if you are only using public registries, but available with enterprise plan if your repositories are privately hosted.
Let's look at how to use dependabot and how to configure dependabot for some common use cases. At the end of this article there are also some alternatives to dependabot if you don't like him.
Dependabot works per repository hence you need to enable them for each repository that you want updates. You can do that for your repository under the Settings section in GitHub.
Once you do that, dependabot will start opening pull requests for each dependency for their respective latest versions.
if you have a project with a sizeable number of dependencies, then the amount of pull requests maybe overwhelming or annoying. So, let's look at how we can configure dependencies that will help us to manage them.
like many of the GitHub features, Dependabot can be configured using a yaml config file, aptly named
dependabot.yaml. This file should be inside your
.github directory in your project root. So the path to the config file is
.github/dependabot.yaml. let's look at a sample config file and examine it
version: 2updates: - package-ecosystem: "npm" directory: "/" # basically says that the package.json (since it's an npm project) lives under root
This configuration tells dependabot to open pull requests whenever an update is available for your project. But this maybe not ideal in every use case.
Let's say you have 20 dependencies and maybe 10 to 12 of them have regular updates. That means sporadically there will be pull requests clogging your repository PR dashboard, also emails and other notifications from GitHub too. That's not fun when you are trying to get some work done. It becomes painful especially if you are using a frequently updated library like aws-sdk, they have multiple releases per week.
One approach that could help in this case is to schedule the dependabot to run on specific intervals.
version: 2 updates: - package-ecosystem: "npm" directory: "/" schedule: interval: weekly day: monday time: "08:00" timezone: "Europe/Berlin"
The above config instructs dependabot to run on every monday at 8am in Europe/Berlin timezone. Now you will be getting updates every week. You could set this to a day which suits your work schedule. For example every sprint cycle.
More comprehensive schedules can be configured according your needs, more information can be found here
Multiple package ecosystems
If your project is managed in mono repo or if you are keeping your front end and backend code together in the same repository, then you can configure dependabot to open pull requests to both.
version: 2 updates: - package-ecosystem: composer directory: "/backend" # or / in case composer.json is in the root dir - package-ecosystem: npm directory: "/frontend"
See the list of all supported package ecosystems here
Note that I have omitted the
schedule and other configuration for the sake of simplicity, but you can add them as needed.
You could do a lot more with dependabot configurations. like
- Assign a person to the pull request
- Apply labels
- Limit pull requests
- Ignore specific packages
- Group certain dependencies
- Allow specific types of dependencies
- for example dev dependencies only
- Customize the commit messages
Read the GitHub documentation here to get more ideas.
Obviously, not everyone is using GitHub. Or maybe you don't want to pay for Enterprise subscription to use your custom package registry. Or maybe you don't like dependabot scanning your codebase. There are a number of players in this field, most of them are opensource with premium hosted offerings or comes with Enterprise licences.
Renovate Bot - https://docs.renovatebot.com
Just like Dependabot, Renovatebot can open pull requests to your repository. It can be configured using a file at your project root called
renovate.json. Renovatebot can be Self Hosted also they have an Enterprise option called (mend.io)https://www.mend.io/renovate/. More information at their documentation here
Depfu - https://docs.depfu.com
Similar functionality, but Depfu at this stage is not big as Renovatebot or Dependabot, but definitely something to keep an eye out for
Snyk - https://snyk.io/
Snyk cares more on the security of your code, although it comes with some functionalities of dependabot,(keeping upto date is part of security! Duh!!). Snyk can scan your codebase for security issues and open pull requests against those.