We have talked many times before about how Dependabot has been a massive time saver for projects, helping to streamline dependency updates. However, after a big .NET release, it’s not uncommon for the Pull Requests tab to have lots of individual PR’s we need to triage, approve, and merge. Fortunately, the newly GA-ed Dependabot grouping feature is here to improve our quality of life.
With a couple of lines of yaml in our depenabot.yml file, we can group updates into one PR. However, there are a couple of best practices we have identified.
- We personally like to use the
"*"
wildcard to capture all updates to a project, but if you only want certain dependencies, you can specify patterns to include or ignore. - You can limit the grouping to only certain version updates. Particularly in the example where we are using the
"*"
wildcard, we think it’s important to only group minor and patch updates – major updates generally have API breakages and have a lot more risk of things breaking – especially if they are grouped with smaller dependency updates.
groups:
tests:
patterns: ["*"]
update-types: ["minor", "patch"]
For context, for a testing project, our complete dependabot.yml
file looks like this:
version: 2
updates:
- package-ecosystem: nuget
directory: /src/DotNetHelloWorld.Tests/
schedule:
interval: daily
time: "06:00"
timezone: America/New_York
open-pull-requests-limit: 10
groups:
tests:
patterns: ["*"]
update-types: ["minor", "patch"]
Looking at the same Pull Request tab, we can see there are just 2 pull requests, with one containing a group of 3 dependencies.
Looking closer at the grouped pull request, we can see the 3 dependencies included in the update.
Looking at the file changes, we can see all of the updates:
Limitations
- Currently groups only work with Dependabot updates, not Dependabot security alerts
- Currently you can only scan a project at a time – but this makes sense – this generally means there are less changes to review.
Summary
This morning there were a number of new dependency updates. Instead of 15 separate pull requests, they were grouped in 6 pull requests – this is just a third (!!!) of the pull requests we would normally have to triage, approval, and merge.
Simple little change, but big improvement in quality of life!