A few months ago, we looked at Dependabot, a tool to check for dependency updates. Recently, GitHub announced an update, to further integrate the Dependabot service as code. Instead of browsing to Dependabot.com, now you add yaml code to your GitHub folder. We are going to look closer at how this works today.
Why is Dependabot important?
Dependabot works by scanning your dependencies and looking for updates. It is useful as it accelerates security and dependency updates, by automatically creating Pull Requests. For example, if you have an old JQuery or NuGet package, it will detect the change and create a new pull request with the upgraded package.This allows teams to spend more time creating software, instead of tracking dependency and security updates. Let’s compare the paths.
Without dependabot, your workflow probably looks similar this:
- Looking daily to see if your project has dependency updates
- If we find one, we open Visual Studio/editor of choice, create a new branch, update the packages
- Test (hopefully with automated tests) to ensure nothing breaks
- Push the changes to a pull request, review, approve, merge.
With dependabot, your workflow is more like:
- Be notified that dependabot has found an update in the daily scan
- Review pull request, approve, merge.
Either way, this is where your automated tests are important. On a project with a robust set of tests, our pull request build will verify that this upgrade won’t cause issues. Essentially, we would be notified of upgrades and approve them quickly. Let’s look at a recent DependaBot pull request. This one has detected that the “Microsoft.Extensions.Configuration” package has a 3.1.7 upgrade.
The Dependabot yaml file
Let’s look at a Dependabot YAML file. In this example, there are a few details
- line 1: the version of the DependaBot file – this should start at (version) 1
- line 3: what package manager to use
- line 4: the location of the files to monitor
- lines 5-8: When to run the check. We run ours daily at 6am ET
- line 9: The maximum number of pull requests to open. Once we have ten, we won’t open new pull requests until the others are closed.
- lines 10-11: Who to assign the pull request to when it’s open – this is important to get notified about the new pull request
With the new yaml dependabot files, automatic pull request merges have unfortunately been removed, out of concern that it could be used to “quickly propagate a malicious package across the ecosystem”. This is a pity, but there is still a ton of value here, being able to approve a PR with checks completed.
Dependabot is a developer productivity tool, saving time, while also ensuring we have the latest packages to prevent security exploits. With automated testing, the process of reviewing pull requests, and approving them is a killer feature. With dependabot being code, it’s even easier to manage, track changes/history, and manage your code. This makes GitHub that much more attractive for mature DevOps teams.
- Dependabot: https://dependabot.com/#how-it-works
- Dependabot YAML: https://dependabot.com/docs/config-file/
- Dependabot GitHub announcement: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/
- Dependabot auto-merge discussion: https://github.com/dependabot/dependabot-core/issues/1973