Subscribe

Keep your projects up to date with Dependabot

✍️

Mainting projects and doing security updates are essential, Dependabot can help you with this.

20 Feb, 2021 · 2 min read

Dependabot is a super fantastic tool that can check your GitHub projects for any dependencies that need updating.

It looks for multiple things, including security issues, compatibility, and more.

As developers, we should all be wanting to keep up dependencies up to date, but as many will know, it's hard work. Especially projects that you build a year ago and are not actively updating.

Dependabot does a lot of this work for us. It can even go as far as making a PR for us! How much easier do you want your life to be?

Dependabot pull request in GitHub

Setting up Dependabot

Now for the cool part, Dependabot doesn't need any fancy setup scripts or hard to understand installations. Even better, it's built into GitHub!

On GitHub, visit your settings page, and click the Security & analysis tab.

This is where you can enable Dependabot.

Dependabot settings in GitHub

Note: You can also switch to your team and enable Dependabot for team repos!

You will see a couple of options here:

  • Dependency graph: This shows a graph of dependencies based on your package.json, composer.json, etc. (This is by default enabled for public repo's).

You can find the dependency graph on your repo -> Insights -> Dependency graph:

GitHub dependency graph

  • Dependabot alerts: This function will send you notifications if any of your dependencies have a vulnerability and needs updating. (You'll also get emails and notifications for these)

GitHub dependabot alerts

  • Dependabot security updates: My favorite function, since it can update non-vulnerable dependencies itself! It will still create PR's for you.

Dependabot security updates

Conclusion

Dependabot is an essential part of the development pipeline to ensure projects stay safe and are not exposed to vulnerabilities.

I would strongly urge you to enable Dependabot for your team and personal account if you haven't done it already.

Thank you for reading, and let's connect!

Thank you for reading my blog. Feel free to subscribe to my email newsletter and connect on Facebook or Twitter

Spread the knowledge with fellow developers on Twitter
Tweet this tip
Powered by Webmentions - Learn more

Read next 📖

Undo wrong Git changes

30 Jul, 2022 · 3 min read

Undo wrong Git changes

Git basics: Changing your last commit message

19 Jul, 2022 · 2 min read

Git basics: Changing your last commit message

Join 1979 devs and subscribe to my newsletter