I have to tell you about Dependabot 🤖

Dependabot is an automation service that will automatically create PRs to keep your projects' dependencies up to date, and it is really powerful.

Update (2021, pt.2): Do you want to know how to run Dependabot locally?

I wrote a follow-up to this article based on a question I've been getting fairly regularly: How do you run dependabot locally? You asked, I answered - check it out here: How to run dependabot locally on your projects

Update (2021) Dependabot has been Acquired by GitHub, and many of the links from this post stopped working once they took down the original site (dependabot dot com). I've updated URLs here to point to more relevant links within GitHub's docs.

Dependabot is an automation service that will automatically create PRs to keep your projects' dependencies up to date, and it is really powerful.

Screenshot of the settings interface for a project on the former Dependabot.com
Setup for Dependabot is flexible, quick, and straightforward.

In just a few, sweet, wonderful minutes, you can install and configure it to automatically keep an eye on your project dependencies, and set a daily or weekly schedule to submit updates and changes. Automation at its finest - dependabot is like having a super mindful teammate who keeps an eye on npm (or pip or rubygems or one of many other languages) - you'll automatically get great, well-formed PRs for each dependency version bump, which you can test locally, or have sent up to your CI toolchain of choice.

After you run through the setup process, dependabot will monitor your repo and submit PRs to update individual dependencies on a daily or weekly rhythm (your choice!). If the PR contains an important security update, it will be assigned a label of Security, too.

An example PR from dependabot
Automatically created PRs are simple and to the point.

Honestly, for me, it's like adding a member to my team. I love automation, and I love making my life simpler. Until now, for all of my projects, myself or another teammate would regularly run through all the dependencies in a given repo, and manually update them one at a time, testing and pushing them to GitHub to be run through CI and then eventually merged by the team. The honest truth is that this process can take quite a while, and can be forgotten, and isn't mindful of important security updates at all. That's all over now.

An example PR from dependabot
Dependabot will merge this PR once CI is done, thanks to the @dependabot merge command

What else?

There are a ton of other features available to you the moment you install dependabot. It responds to a wide variety of commands by way of GitHub comment. In the screenshot above, I've approved a PR and asked dependabot to merge it as soon as CI has passed. Now I don't have to babysit the repo in order to merge updates! Sweet!

If your repo contains multiple languages, Dependabot can handle that. If you've got a complex monorepo with multiple files representing your dependencies (for example, a node project set up with Lerna), dependabot can monitor each dependency file individually, with different rules for each.

Dependabot's announcement that they were acquired by GitHub
Dependabot was acquired by GitHub

This was the final kicker for me. Dependabot was just acquired by GitHub, and is now available completely free for use. That's incredible! There's no reason for you not to give it a shot. Go check it out now, post haste!

Go install Dependabot!

For more reading

Note: the cover photo for this article comes from one of my favorite photographers, Alex Knight, and was made available un Unsplash. Thank you Alex for your work!

***
Mike Bifulco headshot

💌 Tiny Improvements Newsletter

Subscribe and join 🔥 987 other builders

My weekly newsletter for product builders. It's a single, tiny idea to help you build better products.

    Once a week, straight from me to you. 😘 Unsubscribe anytime.


    Get in touch to → Sponsor Tiny Improvements