DEV Community


Posted on

Depend(abot) on Umbraco patching

With recent security patches for Umbraco and a bit of time on my hands in the last few days, I finally setup dependabot!

For those who dont know dependabot can be used to scan a repos dependencies and do an update, as well as create a PR so you can review the changes etc, now of course it doesnt run the site for you or test it (at least not alone), but its one less step in the process for you to handle!

I first tried to do this with Umbraco 8 using a differrent tool nuKeeper, however Umbraco 8 could only be updated using Visual studio or a zip, due to the need for the console, many an hour spent on that one!

With the release of 9 and changes with nuget Umbraco had to change how they delivered the package. Meaning we can now automate! Just like cloud.

Setting it up

In the root of your git repo, add a .github/dependabot.(yml/yaml). This is where we will configure dependabot. There is a few difference depending on the platform you are using so lets cover the basics here and then move on to platform differences.

version: 2
  # Enable version updates for nuget
  - package-ecosystem: nuget
  # Directory to start searching from
    directory: "/src" 
  # how many open PRs dependabot can have
    open-pull-requests-limit: 10
  # Where the PRs should target
    target-branch: "feature/dependency-updates"
  # Name of dependency to ignore wildcards are allowed
      - dependency-name: "*"
  # Update types to ignore
        update-types: ["version-update:semver-major"]
Enter fullscreen mode Exit fullscreen mode

Here you can see I am ignoring major releases as Id rather tackle those directly, The full documentation can be found over on Github. There you will also find you can also update from other packages including npm and docker.


This is the only file you need! You can also create it using the UI follow the guide

The only thing missing here is when to run the updates! The simplest way is to add schedule.interval which has a few options

Interval types  Frequency
daily       Runs on every weekday, Monday to Friday.
weekly      Runs once each week. By default, this is on Monday. To modify this, use
monthly     Runs once each month. This is on the first day of the month.
Enter fullscreen mode Exit fullscreen mode

Schedule can do more complex things of course, Github docs. That's it you'r up and running.

Azure Devops

As Dependabot is a github tool we have to do a bit of extra work to get it to run. First we are going to need the unoffical dependabot wrapper for Azure devops from the store, right now this is the only way I know of to get setup. Once this is installed we need to create a new Azure pipeline and configure the yml file

trigger: none

  - cron: "0 1 * * 0" # 1am Sunday UTC
    always: true # run even when there are no code changes
        - develop
    batch: true
    displayName: Weekly dependency check

  vmImage: "ubuntu-latest" # requires macos or ubuntu (windows is not supported)

  - task: dependabot@1
Enter fullscreen mode Exit fullscreen mode

The task does have a few configuration options which you can find on Github.


If you have followed this hopefully you have a few PRs to run though :D, unfortunatly there is no way to get dependabot to do a single PR with all the updates, however a few pipeline updates or a Github PR workflow could allow you to do alot more.

At the very least at least you will know if something builds and tests pass.

Top comments (0)