Hi everyone,
Today I want to write about @dependabot, Github's automatic dependency bot updater that will keep your project dependencies up to date.
It works with all the popular languages like:
- ruby
- java
- python
- javascript
- rust
- elixir
You can find here Dear Reader all the languages that are currently supported dependabot languages.
I had one project with the version of acorn 5.7.3 in a Vue project(not a Vue project, An old Phoneix project) and @dependabot automatically updated my acorn to 5.7.4.
This is how the operation for the update looks like(view the picture below)
Thanks to @rob 's comment let's add more context to what @dependabot is doing:
First I also merged that PR and the result can be seen in the picture below.
As we can see @rob was right Github deleted our package-lock.json file and added a new dependency to it.
So to really update our project we will have to make a new commit after running yarn upgrade or npm update.
@Dependabot can also be used manually using the @dependabot rebase command.
Well, this is all well and good Wolfiton, but how much does it cost?
The good news Dear Reader comes from Github that just bought @dependabot and it's free of charge.
So you can start using it today in all your projects and even automate it to run on scheduled times or on a commit.
Pretty handy right?
What do you think Dear Reader, will you use @dependabot rebase to keep your projects secure?
I hope you enjoyed the article, Dear Reader.
If you also find it useful, share it on social.
Credits:
Thanks, @rob for your comment and experience with @dependabot
Top comments (5)
I like this automation of version bumps but I'd really like to have it update the top-level dependant. In most cases the vulnerable packages are not the ones in the top level but x-levels deep. However, at the time the fixes are available through the bots, they are often fixed in the top level dependencies so ultimately I will update them anyway next time. Has anyone experience with configuring a bot to behave in this way?
Okay I just realized, that's actually exactly what Greenkeeper or david-dm do :-)
I had similar experience with my jekyll theme with gem versions
Thanks @ryanwestlund for sharing your opinion on @dependabot. What has impressed you the most regarding @dependabot?
The automation? the muli language support?
Interesting @rob I haven't pushed the PR yet.
Thanks for the explanation and your experience with @dependabot.