Automated Dependency Updates with Dependabot

10 Oct 2019  Sergio Martin Rubio  3 mins read.

Dependabot is a free and open source tool that has been bought by GitHub and allows you to check for updates on you dependency files.

It can be used to update dependencies in Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java and .NET, as well as, git submodules, Docker files and Terraform files.

Package Manger Options

  • bundler
  • pip (includes pipenv)
  • npm_and_yarn
  • maven
  • gradle
  • cargo
  • hex
  • composer
  • nuget
  • dep
  • go_modules
  • elm
  • submodules
  • docker
  • terraform

GitHub Integration Guide

Dependabot is fully integrated with GitHub and only in a few steps you will be able to add it to your current GitHub projects.

  1. Go to Dependabot site or GitHub marketplace and search for Dependabot.
  2. Install Dependabot to your GitHub account. alt text
  3. Give permission to all your repositories or selected ones. alt text
  4. Start adding repositories to the Dependabot dashboard. alt text
  5. Tweak Dependabot settings for your projects: how frequent it runs (daily, weekly…), directory, branch, GitHub Pull Requests info… alt text
  6. Run Dependabot and review PR. A relevant branch name, PR title, comment and labels are created. alt text

Breaking Changes

Dependabot also provides a way to give you more confidence in case of possible breaking changes. From the PR page a link is shown and it will take you to a page where you can see PRs that failed CI.

Dependabot Compatibility Rate
Dependabot Compatibility Rate

How does it work?

  • Dependabot retrieves metrics of similar updates from other repos.
  • It creates a score based on each repo that runs a CI with passed test suite.
Compatibility Score Page
Compatibility Score Page

Note: private repositories are not included on the score calculation.

However, to be 100% sure that you are not introducing breaking changes with the dependency updates, you should create a build with the new branch created by Dependabot.

Advance Integrations

Dependabot can be also used by itself. The official repository provides a Ruby script that you can run with Docker. Another option is to create a repository dedicated to the script and configure a GitLab CI pipeline to run it periodically.

For instance, you could setup a GitLab CI with an Azure repo by following the next steps:

  1. Clone the dependabot-script repo and create a new project on GitLab
  2. Rename .gitlab-ci.example.yml to .gitlab-ci.yml
  3. Get the values of the required global variables:
    • AZURE_ACCESS_TOKEN -> Go to your Azure Devops profile, Security, Personal access tokens, + New Token
    • PROJECT_PATH -> For will be econsergio/_git/spring-boot-demo
    • PACKAGE_MANAGER_SET -> maven for this example
  4. Create a new pipeline schedule -> Go to CI/CD, Schedules
  5. Set in the schedule the required variables
  6. The script creates a branch and PR on Azure
Azure Dependabot Branch
Azure Dependabot Branch
Azure Dependabot Dependency Diff Updates
Azure Dependabot Dependency Diff Updates
Azure Dependabot PR
Azure Dependabot PR


As you can see Dependabot is very flexible and will take care of all your projects dependency updates. Despite it has been acquired by GitHub, you can run it on GitLab and point to projects on Azure or GitLab.