Symfony: Stop checking for dependency updates

We all love to dive into feature coding while completely ignoring the composer.json file, until, of course, we need a new feature that’s only available in the next version of a dependency.

That’s when we realize we’re three versions behind. Panic! Updating now means a delightful day of fighting deprecations for every version we’ve missed.

Meet Dependabot: your friendly, automated dependency manager on GitHub. Dependabot scans your projects for outdated dependencies and creates pull requests to update them. It guarantees security and easy updating of your project. With Dependabot, you’ll never be behind on updates again, making maintenance easier and leaving you more time to concentrate on coding the fun stuff!

Let’s configure it

We will take a Symfony project as example but you can configure it with any project you have

Create dependabot.yml file and store it in .gihub directory

version: 2
updates:
  - package-ecosystem: "composer" # Using Composer for PHP dependencies
    directory: "/" # The directory where your composer.json file is located
    schedule:
      interval: "daily" # Check for updates daily
    commit-message:
      prefix: "chore" # Prefix for commit messages
    open-pull-requests-limit: 10 # Limit pull requests opened by Dependabot
    groups:
      symfony:
        patterns:
          - "symfony/*" # Update all Symfony dependencies together

With this configuration, GitHub will automatically check for dependency updates and create pull requests for you.

As shown under groups.symfony.patterns, this setup will simplify our workflow when Symfony releases multiple package updates simultaneously.

here a example of symfony update pull request

Instead of generating 11 separate PRs for each Symfony component, Dependabot will consolidate them into a single PR.

ℹ️ You can run the update check manually

Follow 👇👇👇

Don’t let obsolete dependencies slow you down. Adopt Dependabot and keep your projects secure and up-to-date 💪💪.