If you want to be a productive programmer you likely want to take advantage of libraries, plugins, and frameworks that other people have made. Why not stand on the shoulders of giants, right? Libraries like lodash and redux have been pounded on for years, so it generally makes sense to take advantage of quality thatβs been built up over years of commits. But unfortunately thereβs a dark side-effect of all of this sharing... security vulnerabilities.
Itβs not as common as haters of NodeJS/NPM would like you to believe, but vulnerabilities do crop up in popular libraries. But thanks to the bounty prizes that NPM makes available, payers of NPM Enterprise find out about exploits sooner than the general public. But you say, βwaitβ I donβt pay for NPM Enterprise... so what about me?β Thatβs when Dependabot comes in.
Dependabot will automatically PR your github repository and attempt to merge the PR if the unit tests pass. That means that as soon as a fix for a vulnerability is published... your code is going to get the fix.
Iβm all about living in the present but still protecting the future. In fact, thatβs one of the core topics at CubicleBuddha.com. So thatβs why I use Dependabot to help me do the minimum amount of work to stay vigilant. Iβve heard it said that the best programmers are the laziest onesβ because those are the programmers who will find a creative way to do less work. Jokes aside: time is precious and why not spend more time creating features that help your users.
Other reasons you should care to use Dependabot:
- your favorite UI widget library fixes an accessibility issue and now you can get free help out quickly
- you work at a big company and you want to make sure all of your teams stay on a consistent version of a private library. Dependabot can save you tons of meetings and governance
So now that Dependabot is free (thanks Github and Microsoft!), go integrate it into your repo and enjoy getting back to your life. :)
Top comments (6)
I can't say enough good things about Dependabot! It's a great service and every time I've reached out with an issue they've got it fixed super quickly!
Just this weekend I was having an issue with automerging and the founder responded to my GitHub comment with a few hours and we had the situation sorted! And that's the probably 5th time Ive had almost identical interactions!
Congrats so much to them for the aquisition!
Thatβs so wonderful to hear! :)
Iβm not sure I understand what you mean?
Hi CB. Check this: en.wiktionary.org/wiki/OMFG
It's a sign of shock, nothing's wrong with that?