DEV Community

Cover image for Automating Dependency Updates for Your GitHub Projects
Linda Ikechukwu
Linda Ikechukwu

Posted on • Updated on

Automating Dependency Updates for Your GitHub Projects

To keep a piece of software or project relevant, it must continuously be improved and maintained. This usually involves fixing bugs, adding feature requests, optimizing for performance, updating dependencies, etc.

Managing and updating dependencies is a critical part of maintaining a project. We tend to overlook this task and rarely attend to it because it is such a time-consuming and repetitive chore. You'll have to create a new branch, update the dependencies, test, and then merge, all the while neglecting the actual work you're supposed to be doing. Failure to update dependencies frequently will leave the project prone to errors and fatal breakages, taking more time to fix.

What if we could delegate this task to someone or something? In this article, I'll show you how to use the WhiteSource Renovate tool to manage dependency updates automatically, so you can focus on doing what you love: writing badass code.

Renovate is a free tool that keeps source code dependencies up-to-date using automated Pull Requests. It scans repositories for dependencies inside package manager files such as package.json (npm/yarn) and submits Pull Requests with updated versions whenever they are found.

But first, let's make sure we understand what dependencies are.

What are software/code dependencies?

Dependencies include any third-party packages or libraries that you add to a project to get some functionality right out of the box. One popular programming advice is: "don't reinvent the wheel." This means that you should reuse existing solutions when they exist instead of building from scratch. For example, if I need to manipulate images in my project, I'll install the Jimp package from npm and use it instead of writing code to do that. Now, Jimp has become a dependency for my project.

Why should you periodically update dependencies?

Just as you'll maintain your project and add a little touch up now and then, dependencies are usually updated by their authors and new versions released. Since your project depends on them, it's wise to update them frequently to ensure you don't miss out on security/bug fixes, performance improvements, and new features/API.

As I previously mentioned, failure to update dependencies on a regular cadence exposes your project to security bugs, incompatibility errors, and possible breakages, which could take hours or even days to fix. The best practice is to update dependencies in smaller version bumps regularly, and Renovate can take care of that for you.

Why WhiteSource Renovate?

You may be wondering: GitHub has something which does the same thing — Dependabot. Why do I need to use a different tool? Well, there are a couple of features that have made me come to prefer Renovate to Dependabot. As at the time of writing this, Renovate:

  • Supports more package managers than Dependabot
  • Is open-source, so you can always decide to spin up your instance, unlike Dependabot
  • Groups monorepo (multiple packages under a single repository/package, e.g. React) updates into a single pull request, unlike Dependabot, which creates individual pull requests for each package, which leads to extra setup and lots of near-identical PRs to review.
  • Gives you fine-grained control over which type of updates to automerge based on rules set in the config. Dependabot only has the option to either automerge or not.

How to setup Renovate on GitHub with GitHub actions

GitHub Actions is an automation tool that can be used to automate tasks within the software development lifecycle.

In this article, we'll be using it to automatically run tests against pull requests made by Renovate to ensure that dependency updates do not break our application before auto merging.

To set up GitHub actions on your project, create a .github/workflowsdirectory in the root folder.
Inside the workflows folder, create a workflow file named build-and-test.ymlfile and add the following code to it:

name: Build and Test 
      branches: [master]

      runs-on: ubuntu-latest 
        - uses: actions/checkout@v2
        - uses: actions/setup-node@v2-beta
          node-version: '12'     
        - run: npm install      
        - run: npm run build --if-present      
        - run: npm test
Enter fullscreen mode Exit fullscreen mode

In the code above, we first define the name of our workflow. This is optional. Then we specify that whenever a pull request is made to the master, the build_and_test workflow job should run. We also specify that the build_and_test workflow job should be run on an Ubuntu virtual machine and Node v.12.

The build_and_test job will install all project dependencies, build, and run tests to ensure that nothing breaks every time it is run.

P.S: This only runs the test command specified in your npm scripts.

To learn more about the parameters of workflow files, read this.

Next, it's finally time to set up Renovate.

Head over to to install the app. Click on the install button and either install it on all your repositories or only select repositories. For now, you can start with only your designated repository (you can always modify this from the applications tab on the settings page). After that, click the green Install button at the bottom of the page and Renovate will be enabled for the repository and then start the onboarding process.

Once you have successfully installed Renovate in your repository, you'll receive a pull request like this:

Screenshot of pull request

Once you're done checking and configuring the PR, merge it to enable the actual Pull Requests to begin. After merging, Renovate will create a renovate.json file in the project root folder. This is where we'll be adding our custom configurations.

Add this:

"packageRules": [
      "updateTypes": [
      "automerge": true

Enter fullscreen mode Exit fullscreen mode

Here, we're specifying that all minor and patch dependency updates should be automatically merged.

Remember that we have set up GitHub actions to build the project and run tests on every pull request, so Renovate will only automerge if the workflow is passed successfully.

For major dependency releases, we'd like to manually check and confirm before merging.

And that's it. Congratulations, you've just successfully set up automatic dependency updates for your GitHub project.

Renovate can also be used the same way on BitBucket and Gitlab. Check their docs for info.

If you found this article insightful, you should clap and also check out other insightful articles on my frontend development blog and maybe drop me a line on twitter.


Discussion (0)