Dependabot Is GitHub Native Only
Farewell (and thank you) to DependaBot Preview
On Apr 29th, 2021 the amazing Dependabot (Preview) shut its doors: all existing customers and repositories are going to be migrated onto the GitHub-Native Dependabot, seamlessly integrated with the whole GitHub platform.
Let’s explore differences and what is useful to know.
Dependabot is one of the most useful and valuable tools for software development: thousands of companies, communities, and repositories have been kept safe against vulnerabilities in the upstream (open source) dependencies since the tool started featuring on GitHub Market place in 2019. Unsurprisingly it became quickly part of the GitHub platform offering (at no charge) the vulnerability scanning of public and private repositories.
The main difference is of course that the setup is now part of the repository configuration, in the “Insights->Dependency Graph->Dependabot” section.
In the same Dashboard, it is possible to check the logs of the last iteration or to kick off a new bump.
It does also have an updated logo “stamping” the existing Dependabot icon with the GitHub one.
Once enabled the Pull Requests will be originated by
dependabot and no longer by
The migration path is a small wonder: each repository receives a Pull-Request (PR) informing what is happening and taking care of the migration to the final version.
Merge the PR and voila’, you are no longer in preview mode.
The “Upgrade to GitHub-native Dependabot” PR creates the dependabot.yml configuration file in the
.github folder. The file defines the necessary configuration:
- package-ecosystem: pip, maven, Gradle, npm, etc… see the full list here.
- directory: location of the manifest file (i.e. pom.xml for Maven).
- schedule: interval and time (i.e. daily at h02:00).
- open-pull-requests-limit: maximum number of PRs a single bump can create.
- ignore and allow: customize which dependencies (or specific versions) must be ignored or included. By default, all dependencies are kept up to date.
Dependabot scans can be disabled simply by deleting the dependabot.yml file from the repository source.
Good to know: setting
open-pull-requests-limit: 0 has the same effect but it keeps the file in the repository (temporary disable).
It is great, fantastic, amazing, but… there is always a BUT.
The GitHub-native implementation does not offer the Live Updates which would create a PR a soon as a new dependency version is released. It is a pity, but the new version is still caught within 24 hours (assuming a daily scan). And the GitHub team has kind of promised to bring this back.
The beloved (by many developers I believe) Auto-Merge option is gone and it does not look like it is coming back any time soon. The principle behind this is that the developer should retain control of merging any dependency update, but this is creating a debate in the community already. Complementary solutions are also filling the gap, like Github Action Merge Dependabot.
PHP developers are also affected as there is no support for PHP Private Registries, although GitHub Actions can be used as a workaround to fetch the required dependencies from those registries.
The GitHub Native Dependabot consolidates the great work performed so far. The migration path is top class and the integration in the Repository Dashboard just makes everything more cohesive and familiar.
Thanks for reading. And thank you dear friend Dependabot Preview.