Geek Culture
Published in

Geek Culture

Dependabot Is GitHub Native Only

Farewell (and thank you) to DependaBot Preview

On Apr 29th, 2021 the amazing Dependabot (Preview) shut its doors: all existing customers and repositories are going to be migrated onto the GitHub-Native Dependabot, seamlessly integrated with the whole GitHub platform.

Let’s explore differences and what is useful to know.

GitHub and Dependabot logos
Image from GitHub blog

Dependabot Preview

Dependabot is one of the most useful and valuable tools for software development: thousands of companies, communities, and repositories have been kept safe against vulnerabilities in the upstream (open source) dependencies since the tool started featuring on GitHub Market place in 2019. Unsurprisingly it became quickly part of the GitHub platform offering (at no charge) the vulnerability scanning of public and private repositories.

Dashboard

The main difference is of course that the setup is now part of the repository configuration, in the “Insights->Dependency Graph->Dependabot” section.

Image by author

In the same Dashboard, it is possible to check the logs of the last iteration or to kick off a new bump.

Image by author

It does also have an updated logo “stamping” the existing Dependabot icon with the GitHub one.

Image by author

Once enabled the Pull Requests will be originated by dependabot and no longer bydependabot-preview.

Image by author

Migration

The migration path is a small wonder: each repository receives a Pull-Request (PR) informing what is happening and taking care of the migration to the final version.

Merge the PR and voila’, you are no longer in preview mode.

Image by author

The “Upgrade to GitHub-native Dependabot” PR creates the dependabot.yml configuration file in the.github folder. The file defines the necessary configuration:

  • package-ecosystem: pip, maven, Gradle, npm, etc… see the full list here.
  • directory: location of the manifest file (i.e. pom.xml for Maven).
  • schedule: interval and time (i.e. daily at h02:00).
  • open-pull-requests-limit: maximum number of PRs a single bump can create.
  • ignore and allow: customize which dependencies (or specific versions) must be ignored or included. By default, all dependencies are kept up to date.

Disabling Dependabot

Dependabot scans can be disabled simply by deleting the dependabot.yml file from the repository source.

Good to know: setting open-pull-requests-limit: 0 has the same effect but it keeps the file in the repository (temporary disable).

Missing Features

It is great, fantastic, amazing, but… there is always a BUT.

The GitHub-native implementation does not offer the Live Updates which would create a PR a soon as a new dependency version is released. It is a pity, but the new version is still caught within 24 hours (assuming a daily scan). And the GitHub team has kind of promised to bring this back.

The beloved (by many developers I believe) Auto-Merge option is gone and it does not look like it is coming back any time soon. The principle behind this is that the developer should retain control of merging any dependency update, but this is creating a debate in the community already. Complementary solutions are also filling the gap, like Github Action Merge Dependabot.

PHP developers are also affected as there is no support for PHP Private Registries, although GitHub Actions can be used as a workaround to fetch the required dependencies from those registries.

Conclusion

The GitHub Native Dependabot consolidates the great work performed so far. The migration path is top class and the integration in the Repository Dashboard just makes everything more cohesive and familiar.

Catch me on GitHub and Twitter for more.

Thanks for reading. And thank you dear friend Dependabot Preview.

--

--

--

A new tech publication by Start it up (https://medium.com/swlh).

Recommended from Medium

Small including type forget.

Why I Hate Using IDE’s

IBM Business Automation Workflow Adding a spinning icon for users during long service calls

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

The best Matplotlib cheat sheet!

How to Build a Cloud Version of Your Open Source Software: Part 1

Python packages that Tesla uses

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beppe Catanese

Beppe Catanese

Developer Advocate @ Adyen. Here my own stories and thoughts about Software Engineering, Data Engineering, Open Source and Cloud tools.

More from Medium

Introducing resource by AlphaFlow

An overview of version control and non-relational databases

Send custom notification on slack in 4 minutes

Properly Setting up a Scheduled Cloud Function in Firebase