Automate GitHub Dependency Updates with Dependabot

Subscribe to my newsletter and never miss my upcoming articles

You should be familiar with this tiring email notification from GitHub.

aaaaaa.png

If you have tons of repositories on GitHub like me, you will receive tons of these emails virtually every day, and this can be annoying as most time, the vulnerabilities come from installed packages, which might get updated daily.

You can use automated or manual pull requests to update vulnerable dependencies. Before now, I only used the manual method, but this wasn't efficient as I sometimes have to send multiple pull requests to fix several vulnerabilities.

I figured that not everyone knows about this amazing service, and with this article, more developers will save the time used to fix vulnerabilities manually.

Introducing Dependabot

Dependabot is a GitHub App which is automatically installed on every repository where automated security updates are enabled and create pull requests to keep your dependencies secure and up-to-date.

Every day, Dependabot checks your dependency files for outdated requirements and opens individual pull requests for any it finds. You review the PRs, merge them, and get to work on the latest, most secure releases.

Before now, Dependabot was a standalone paid service until it was aquired by GitHub and directly integrated into GitHub, thereby making it free of charge.

How it works

When you receive a security alert about a vulnerable dependency in your repository, Dependabot resolves the vulnerability using an automated security update via a pull request.

GitHub automatically creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability.

So it works in three steps:

  • Dependabot checks for updates
  • Dependabot opens a pull request
  • You review and merge

Getting Started

Before now, you would need to install the service, but since it is now integrated into GitHub, you would have to configure some settings to get started.

Dependabot currently supports Ruby, JavaScript, Python, PHP, Elixir, Rust, Java, NET, Go, Elm, Submodules, Docker, Terraform and GitHub Actions.

For repositories created before November 2019, GitHub has automatically enabled automated security updates if the repository meets some criteria and has received at least one push since May 23, 2019.

Here's how to activate or deactivate Dependabot for your repository:

  • Navigate to the main page of the repository on GitHub

main_page.png

  • Click on the Security tab, below the repository name

security_tab.png

  • Click on the Automated security updates drop-down menu and select or unselect Automated security updates to turn it on or off.

toogle_updates.png

In this page, you also get to see a list of open vulnerabilities alerts if turned on already

alerts1.png

alerts2.png

  • When there is any vulnerability update, Dependabot automatically creates a pull request to fix it, and all you have to do is merge.

updatepng

Custom Configuration

You can also configure Dependabot via a commit config files to your repositories with more details of how Dependabot should behave.

The config.yml is used to configure how Dependabot behaves and is located in a folder named .dependabot at the root of your repository.

Here is an example of a starter configuration template that keeps tracks of updates in a Javascript project (Immediately there is an update) and Docker project (every week) and sets a custom user to review the updates and add label names.

version: 1
update_configs:
  # Keep package.json (& lockfiles) up to date as soon as
  # new versions are published to the npm registry
  - package_manager: "javascript"
    directory: "/"
    update_schedule: "live"
  # Keep Dockerfile up to date, batching pull requests weekly
  - package_manager: "docker"
    directory: "/"
    update_schedule: "weekly"

 # Apply default reviewer and label to created pull requests
    default_reviewers:
      - "bolajiayodeji"
      - "angiejones"

    default_labels:
      - "dependencies"
      -  "changelog"

Read more about the configuration options

Conclusion

Automated security updates help to easily and safely fix tiring dependency updates, and all you have to do is merge a pull request :).

I hope this helps you save more time and worry less about the numerous GitHub security alerts.

Dependabot is also open-sourced, feel free to contribute:

Michael Meyers's photo

Have you ever tried using the commit_message configuration parameter? I've followed your steps, but dependabot doesn't seem to be respecting the commit message prefix that I gave it. I've used the config file validator and it says it looks fine. Curious if anyone else has had success with it.

Michael Meyers's photo

Actually I think the problem is only with java:maven. When I did javascript it worked fine.

Bolaji Ayodeji's photo

Glad to hear it worked finally, cheers! Michael Meyers

Quincy Larson's photo

This is a great introduction to Dependabot. This is the first I'd heard of it, but I'll be sharing it with the team.

8XEM.gif

Bolaji Ayodeji's photo

Glad you liked this Quincy. Thank you :).

Julien Danjou's photo

You could merge those automatically using Mergify. See this article: medium.com/mergify/automatic-merge-of-githu..

Bolaji Ayodeji's photo

Looks great! Thanks for mentioning.