GitHub’s Dependabot: Why should you use it and how?
Dependabot is a free GitHub feature that automatically updates your dependencies.
If you’re writing a web app, you probably use some libraries or frameworks that are updated from time to time.
If you’re like me, you may forget to update your packages to their newest version when they are available, and this is why you should use Dependabot!
Dependabot will scan your GitHub repository and submit PRs to update your dependencies (for example by updating your composer.json
or package.json
) files.
To enable it, create a .github
folder at the root of your project directory.
Create a file named dependabot.yml
inside this folder and paste this content into it:
version: 2
updates:
- package-ecosystem: "composer"
directory: "/" # Location of package manifests
schedule:
interval: "daily"
If you’re working with Yarn or NPM for example, replace the value of package-ecosystem
by “yarn” or “npm”.
More ecosystems like Gradle (Java), Cargo (Rust), GoMod (Golang), Bundle (Ruby), etc are supported.
Here’s an official documentation page link.
If you’re working with multiple directories, you can put multiple entries under updates
and have different updates for different folders and ecosystems.
When this is set up, Dependabot will automatically analyze your repository in every X period of time you configured (daily, weekly, or monthly) and submit a PR if a dependency can be updated.
All these PRs look the same, they include a small changelog and an indication of the compatibility of the new version with the current.
We are done!
No further configuration is needed, your project will now be up-to-date all the time!
I hope this article helped you understand the ins and outs of GitHub’s dependabot, If you like my content and want to get updates on my future articles, feel free to follow my account!