Automated Dependency Updates with Dependabot
Dependabot is a free and open source tool that has been bought by GitHub and allows you to check for updates on you dependency files.
Package Manger Options
- pip (includes pipenv)
GitHub Integration Guide
Dependabot is fully integrated with GitHub and only in a few steps you will be able to add it to your current GitHub projects.
- Go to Dependabot site or GitHub marketplace and search for Dependabot.
- Install Dependabot to your GitHub account.
- Give permission to all your repositories or selected ones.
- Start adding repositories to the Dependabot dashboard.
- Tweak Dependabot settings for your projects: how frequent it runs (daily, weekly…), directory, branch, GitHub Pull Requests info…
- Run Dependabot and review PR. A relevant branch name, PR title, comment and labels are created.
Dependabot also provides a way to give you more confidence in case of possible breaking changes. From the PR page a link is shown and it will take you to a page where you can see PRs that failed CI.
How does it work?
- Dependabot retrieves metrics of similar updates from other repos.
- It creates a score based on each repo that runs a CI with passed test suite.
Note: private repositories are not included on the score calculation.
However, to be 100% sure that you are not introducing breaking changes with the dependency updates, you should create a build with the new branch created by Dependabot.
Dependabot can be also used by itself. The official repository provides a Ruby script that you can run with Docker. Another option is to create a repository dedicated to the script and configure a GitLab CI pipeline to run it periodically.
For instance, you could setup a GitLab CI with an Azure repo by following the next steps:
- Clone the dependabot-script repo and create a new project on GitLab
- Get the values of the required global variables:
AZURE_ACCESS_TOKEN-> Go to your Azure Devops profile, Security, Personal access tokens, + New Token
PROJECT_PATH-> For https://dev.azure.com/econsergio/_git/spring-boot-demo will be
PACKAGE_MANAGER_SET-> maven for this example
- Create a new pipeline schedule -> Go to CI/CD, Schedules
- Set in the schedule the required variables
- The script creates a branch and PR on Azure
As you can see Dependabot is very flexible and will take care of all your projects dependency updates. Despite it has been acquired by GitHub, you can run it on GitLab and point to projects on Azure or GitLab.