Mike Bifulco

I have to tell you about Dependabot 🤖

31 May 2019

Dependabot is an automation service that will automatically create PRs to keep your projects' dependencies up to date, and it is fucking wonderful.

Dependabot is an automation service that will automatically create PRs to keep your projects' dependencies up to date, and it is fucking wonderful.

Screenshot of the settings interface for a project on Dependabot.com
Setup for Dependabot is flexible, quick, and straightforward.

In just a few, sweet, wonderful minutes, you can install and configure it to automatically keep an eye on your project dependencies, and set a daily or weekly schedule to submit updates and changes. Automation at its finest - dependabot is like having a super mindful teammate who keeps an eye on npm (or pip or rubygems or one of many other languages) - you'll automatically get great, well-formed PRs for each dependency version bump, which you can test locally, or have sent up to your CI toolchain of choice.

After you run through the setup process, dependabot will monitor your repo and submit PRs to update individual dependencies on a daily or weekly rhythm (your choice!). If the PR contains an important security update, it will be assigned a label of Security, too.

An example PR from dependabot
Automatically created PRs are simple and to the point.

Honestly, for me, it's like adding a member to my team. I love automation, and I love making my life simpler. Until now, for all of my projects, myself or another teammate would regularly run through all the dependencies in a given repo, and manually update them one at a time, testing and pushing them to GitHub to be run through CI and then eventually merged by the team. The honest truth is that this process can take quite a while, and can be forgotten, and isn't mindful of important security updates at all. That's all over now.

An example PR from dependabot
Dependabot will merge this PR once CI is done, thanks to the @dependabot merge command

What else?

There are a ton of other features available to you the moment you install dependabot. It responds to a wide variety of commands by way of GitHub comment. In the screenshot above, I've approved a PR and asked dependabot to merge it as soon as CI has passed. Now I don't have to babysit the repo in order to merge updates! Sweet!

If your repo contains multiple languages, Dependabot can handle that. If you've got a complex monorepo with multiple files representing your dependencies (for example, a node project set up with Lerna), dependabot can monitor each dependency file individually, with different rules for each.

Dependabot's announcement that they were acquired by GitHub
Dependabot was acquired by GitHub

This was the final kicker for me. Dependabot was just acquired by GitHub, and is now available completely free for use. That's incredible! There's no reason for you not to give it a shot. Go check it out now, post haste!

Go install Dependabot!

Note: the cover photo for this article comes from one of my favorite photographers, Alex Knight, and was made available un Unsplash. Thank you Alex for your work! Go support him on Patreon, and give him a follow on Twitter.

Mike Bifulco headshot

Get content for developers, designers, and entrepreneurs

Subscribe to get my updates delivered to your inbox. Typically 1-2 emails a month, straight from me to you. 😘 Unsubscribe anytime.

© 2019-2021 Mike Bifulco
Built with Next. Source code on GitHub.
Disclaimer: 👋🏽 Hi there. I work as a Developer Advocate at Google. Content on this site contains my own opinions, and does not necessarily reflect the views of my employer.