Modern JavaScript projects tend to have a lot of external dependencies. It's important to keep those dependencies up to date. Dependabot is a great help in this. However, using Dependabot comes with new challenges:
- If your project has a lot of dependencies, Dependabot is creating new PR's on a daily basis. Who's responsible for dealing with them?
- Can we automatically merge PR's created by Dependabot or should we test them (locally)?
Our team came to the conclusion that Dependabot indeed helps us keeping the dependencies up to date, but that's not enough: Dependabot needs a workflow too. This is how we do it:
- A developer who is creating a new PR, should at the same time have a look at the existing open PR's, including the PR's opened by dependabot.
- We automatically merge patch PR's.
- Patch update, but failing tests? Checkout locally, check why tests are failing, fix, push and merge.
- Minor update and dev-dependency (and tests are green)? Just merge.
- All other type of PR's: checkout locally and test.
Notes:
- If there are 5 open dependabot PR's, it's not your responsibility to tackle them all. Just review 1 or 2, and leave the rest to the next developer.
- If Dependabot keeps on creating the maximum number of PR's several days in a row, we sometimes just run
npm-check updateto test and update a bunch of packages at the same time. (This is basically the workflow of projects without dependabot and the problem with that approach was that actually nobody was updating the dependencies at all.)
Keep your dependencies up to date, but share the burden across your team.
Happy updating!
Top comments (2)
No need for a GitHub action to automatically merge, can use a really simple GitHub workflow using the GitHub cli: dev.to/jpoehnelt/automatically-app...
Nice, thanks for the update!