Avoid big updates by keeping your dependencies updated with Dependabot

Imagine you are on a project that haven't worked in a while. Some of the dependencies are outdated, so you want to update them to use the latest features. You run npm install and you see that there are a lot of updates available. You update them and find out the updates have broken your project. Now you have to figure out which dependencies are causing the issue and fix them.You spend days trying to fix the issue.

Instead, what if you could keep your dependencies updated automatically? And that these updates were small and frequent, so you could easily identify the issue if something breaks? This is where Dependabot comes in. Often times, we don't update our dependencies for a long time and when we finally do, we have to update a lot of them.

So, What is Dependabot?

Dependabot is a GitHub tool that automatically updates your dependencies. There are two types of updates that Dependabot can make: security updates and version updates. In this post, we will focus on version updates.

Configuring Dependabot

To get started with Dependabot, you need to create a configuration file under .github/dependabot.yml.

Here is an example configuration file for Dependabot:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"

This is a Dependabot configuration file that tells Dependabot to check for updates to npm dependencies every day.

Dependabot will create a pull request for each update it finds. This can create a lot of pull requests, so you may want to configure Dependabot to group updates together. Instead, we can group updates together by using the groups feature. Here is an example configuration file that groups minor and patch updates together.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      minor-patch-dependencies:
        applies-to: version-updates
        patterns:
          - "*"
        update-types:
          - "minor"
          - "patch"

This will create a single pull request for all minor and patch updates. Major updates will still be created as separate pull requests. This is useful because major updates can introduce breaking changes, so you may want to review them separately.

Dependabot also supports other package ecosystems like Ruby, Python, and Docker.

It is highly configurable and more information can be found in the official documentation.

Debugging Dependabot

If you are having issues with Dependabot, you can debug it by checking the Dependabot logs.

This can be found in your repository under Insights > Dependency Graph > Dependabot > Recent update jobs.

Here you can see the logs for each Dependabot update job.

If you are updating Dependabot, I've noticed that in some scenarios Dependabot will not create new pull requests until the next scheduled update. In this case, to trigger a manual update, you can trigger an update by clicking on Check for updates in the page above.

Conclusion

Dependabot is a great tool to keep your dependencies updated. It can save you a lot of time and effort by automatically creating pull requests with the updated dependencies. It is highly configurable and supports many package ecosystems.