Dependabot

Written on July 17, 2020

Keeping dependencies up to date is useful. Even more so if the dependency has a security fix.

I’ve using Dependabot for a while now. Initially with the preview integration, but now that Dependabot is part of GitHub (complete with a name change to ‘GitHub Dependabot’) the integration is even better.

All you need to do is add a file under .github/dependabot.yml, and Dependabot integration will be enabled for your repository.

Here’s the dependabot.yml file for Show Missing:

version: 2
updates:
- package-ecosystem: nuget
  directory: "/"
  schedule:
    interval: daily
    time: '19:30'
  open-pull-requests-limit: 10
  assignees:
  - flcdrg

It specifies the following:

  • Look for NuGet packages
  • Based in the root directory
  • Check for updates daily at 7.30pm (UTC)
  • Limit to 10 pull requests
  • Assign those pull requests to me (flcdrg)

Dependabot will create a pull request to update each outdated dependency. If release notes are available, it will populate the pull request with those details, as well as the commit history between the old version and the new one.

Dependabot-generated pull request

There’s comprehensive documentation for using Dependabot on the GitHub Docs site, including many more configuration options.

I let Dependabot create the pull requests but I still decided whether to approve the request (or not). You could even hook up a GitHub Action to auto-merge your Dependabot pull requests!

Azure Pipelines

The interesting thing about Dependabot is the core engine is open source and hosted on GitHub as well. Andrew Craven has created an example of using the Dependabot engine with Azure DevOps. Not sure if he’s updating that repo, but you might find some of the pull requests I’ve submitted there useful.

You don’t get all the @dependabot bot behaviour like you see on GitHub (as that’s built on top of the core). I guess if you were keen you could build that functionality too!

I’ve used his code to generate pull requests on some repositories hosted in Azure DevOps and then used Service Hooks to trigger some code in an Azure Function to update the pull requests to set auto-complete and assign a work item.

Categories: Azure Pipelines, GitHub Actions