Automate GitHub Dependency Updates with Dependabot
You should be familiar with this tiring email notification from GitHub.
If you have tons of repositories on GitHub like me, you will receive tons of these emails virtually every day, and this can be annoying as most time, the vulnerabilities come from installed packages, which might get updated daily.
You can use automated or manual pull requests to update vulnerable dependencies. Before now, I only used the manual method, but this wasn't efficient as I sometimes have to send multiple pull requests to fix several vulnerabilities.
I figured that not everyone knows about this amazing service, and with this article, more developers will save the time used to fix vulnerabilities manually.
Dependabot is a GitHub App which is automatically installed on every repository where automated security updates are enabled and create pull requests to keep your dependencies secure and up-to-date.
Every day, Dependabot checks your dependency files for outdated requirements and opens individual pull requests for any it finds. You review the PRs, merge them, and get to work on the latest, most secure releases.
Before now, Dependabot was a standalone paid service until it was aquired by GitHub and directly integrated into GitHub, thereby making it free of charge.
How it works
When you receive a security alert about a vulnerable dependency in your repository, Dependabot resolves the vulnerability using an automated security update via a pull request.
GitHub automatically creates a pull request in your repository to upgrade the vulnerable dependency to the minimum possible secure version needed to avoid the vulnerability.
So it works in three steps:
- Dependabot checks for updates
- Dependabot opens a pull request
- You review and merge
Before now, you would need to install the service, but since it is now integrated into GitHub, you would have to configure some settings to get started.
For repositories created before November 2019, GitHub has automatically enabled automated security updates if the repository meets some criteria and has received at least one push since May 23, 2019.
Here's how to activate or deactivate Dependabot for your repository:
- Navigate to the main page of the repository on GitHub
- Click on the Security tab, below the repository name
- Click on the Automated security updates drop-down menu and select or unselect Automated security updates to turn it on or off.
In this page, you also get to see a list of open vulnerabilities alerts if turned on already
- When there is any vulnerability update, Dependabot automatically creates a pull request to fix it, and all you have to do is merge.
You can also configure Dependabot via a commit config files to your repositories with more details of how Dependabot should behave.
config.yml is used to configure how Dependabot behaves and is located in a folder named
.dependabot at the root of your repository.
Automated security updates help to easily and safely fix tiring dependency updates, and all you have to do is merge a pull request :).
I hope this helps you save more time and worry less about the numerous GitHub security alerts.
Dependabot is also open-sourced, feel free to contribute:
Have you ever tried using the
commit_message configuration parameter? I've followed your steps, but dependabot doesn't seem to be respecting the commit message prefix that I gave it. I've used the config file validator and it says it looks fine. Curious if anyone else has had success with it.