Keep your projects up to date with Dependabot

— 2 minute read


Dependabot is a super fantastic tool that can check your GitHub projects for any dependencies that need updating.

It looks for multiple things, including security issues, compatibility, and more.

As developers, we should all be wanting to keep up dependencies up to date, but as many will know, it's hard work. Especially projects that you build a year ago and are not actively updating.

Dependabot does a lot of this work for us. It can even go as far as making a PR for us! How much easier do you want your life to be?

Dependabot pull request in GitHub

Setting up Dependabot permalink

Now for the cool part, Dependabot doesn't need any fancy setup scripts or hard to understand installations. Even better, it's built into GitHub!

On GitHub, visit your settings page, and click the Security & analysis tab.

This is where you can enable Dependabot.

Dependabot settings in GitHub

Note: You can also switch to your team and enable Dependabot for team repos!

You will see a couple of options here:

  • Dependency graph: This shows a graph of dependencies based on your package.json, composer.json, etc. (This is by default enabled for public repo's).

You can find the dependency graph on your repo -> Insights -> Dependency graph:

GitHub dependency graph

  • Dependabot alerts: This function will send you notifications if any of your dependencies have a vulnerability and needs updating. (You'll also get emails and notifications for these)

GitHub dependabot alerts

  • Dependabot security updates: My favorite function, since it can update non-vulnerable dependencies itself! It will still create PR's for you.

Dependabot security updates

Conclusion permalink

Dependabot is an essential part of the development pipeline to ensure projects stay safe and are not exposed to vulnerabilities.

I would strongly urge you to enable Dependabot for your team and personal account if you haven't done it already.

Thank you for reading, and let's connect! permalink

Thank you for reading my blog. Feel free to subscribe to my email newsletter and connect on Facebook or Twitter