Add Dependabot to npm projects on GitHub

remarkablemark

Follow

Jan 12 · 1 min read

Dependabot automates dependency updates for projects on GitHub. We’ll go over how to automate dependency updates for npm or Node.js projects.

Configuration

Create .github/dependabot.yml:

$ mkdir -p .github/
$ touch .github/dependabot.yml

Add the minimum (required) configuration:

Given the configuration, Dependabot will check on a daily interval for npm updates using the package manifest (package.json) located at the repository root (/).

For more options, check out “Configuration options for dependency updates”.

Example

Let’s say webpack recently published version 5.0.0 and you’re on 4.0.0.

At 5am UTC, Dependabot will scan your package.json and open a pull request (PR) to merge branch dependabot/npm_and_yarn/webpack-5.0.0 to master.

The commit message will look like:

build(deps-dev): bump webpack from 4.0.0 to 5.0.0

The PR description will contain webpack’s release notes, changelog, and/or commits.

This article was originally published on remarkablemark.org on January 10, 2021.