DependaBot is a useful tool to regularly check for dependency updates. By helping to keep your project up to date, DependaBot can reduce technical debt and immediately apply security vulnerabilities when patches are released. How does DependaBot work?
- DependaBot regularly checks dependencies for updates
- If an update is found, DependaBot creates a new branch with this upgrade and Pull Request for approval
- You review the new Pull Request, ensure the tests passed, review the code, and decide if you can merge the change
For the earlier GitHub posts from this series:
- Part 1: Moving code to GitHub
- Part 2: CI/CD with GitHub Actions
Setting up DependaBot
To use DependaBot, we first need to add it from the GitHub marketplace.
Once it is installed, we configure the rules. Here we are configuring for the FeatureFlags.Web project, specifying daily updates, and the source directory. We are leaving everything else blank for now.
Now DependaBot is setup for our project, we can manually ‘bump’ DependaBot to run. Alternatively, we could have waited for it to run it’s daily scan – as we have DependaBot checking the Feature Flags project to at 6am every morning. When it runs, if a dependency update is found, a new Pull Request is created with the upgraded dependency and an email notification is sent. Below is an example showing an update to the Application Insights dependency. All we need to do is review the Pull Request, ensure all of the tests passed successfully, and we can confidently approve and merge this update.
Are there downsides?
While there are a few upsides that you should be aware of:
- You need a good set of automated tests to feel comfortable that you can merge a dependency change. Hopefully, most new projects have these, but if you don’t… this is yet another reason to consider automated testing.
- Some upgrades, particularly those that require agent/runner upgrades don’t work right away. For example, this week a new Chrome Selenium dependency was released, but as the GitHub runner hadn’t been upgraded, the pull request tests continue to fail (until the runner is updated with the latest version of Chrome).
- So far, we have had to configure each individual project, rather than a solution. For larger projects, this can be a lot of work
- Finally, some upgrades aren’t covered, for example, .NET Core versions. These versions need to be changed in the project properties. There can be a side effect of this, for example, two weeks ago when a .NET CORE 3.1 was released, 9 packages were also updated at the same time. The result was the screenshot below, only 1 of the 9 packages could build before the project .NET CORE version was upgraded from 3.0 to 3.1.
DependaBot is useful tool you can use to fight technical debt and security vulnerabilities – two huge problems for every software project. You need to have a good set of automated tests to merge with confidence, but even if you don’t, this can help alert you to dependency updates.
If you are still reading, make sure you check out the August 2020 update.
- DependaBot: https://dependabot.com/