|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: "Setup Dependabot" |
| 4 | +date: 2025-01-03 10:00:00 -0500 |
| 5 | +categories: technology |
| 6 | +--- |
| 7 | + |
| 8 | +Dependabot is one of the most underrated features on a GitHub repository. It's a |
| 9 | +free service that ensures your dependencies are up to date and warns you about |
| 10 | +security issues in them. It does this by automatically scanning your |
| 11 | +dependencies and creating a pull request for you to approve. |
| 12 | + |
| 13 | +## How to Set Up |
| 14 | + |
| 15 | +To set up Dependabot in your GitHub repository, follow these steps: |
| 16 | + |
| 17 | +1. Navigate to the **Insights** tab in your GitHub repository. |
| 18 | +2. Click on the **Dependency graph** on the left. |
| 19 | +3. Depending on whether your repo is public or private, you will see a couple of |
| 20 | + tabs. Open the one for **Dependabot**, and click on the **Enable Dependabot** |
| 21 | + button. |
| 22 | +4. Finally, click on the **Create config file** button. This will create a |
| 23 | + `dependabot.yml` file in the `.github` folder in your repository. |
| 24 | + |
| 25 | +I like to add a groups node to the config file; the groups node tells Dependabot |
| 26 | +to group the updates for the dependencies into two PRs instead of creating a |
| 27 | +separate PR for each update. |
| 28 | + |
| 29 | +```yaml |
| 30 | +version: 2 |
| 31 | +updates: |
| 32 | + - package-ecosystem: "npm" # See documentation for possible values |
| 33 | + directory: "/" # Location of package manifests |
| 34 | + schedule: |
| 35 | + interval: "weekly" |
| 36 | + # Add these groups |
| 37 | + groups: |
| 38 | + development-dependencies: |
| 39 | + dependency-type: "development" |
| 40 | + production-dependencies: |
| 41 | + dependency-type: "production" |
| 42 | +``` |
| 43 | +
|
| 44 | +For other options see |
| 45 | +[the official Dependabot docs](https://docs.github.com/en/code-security/dependabot). |
| 46 | +
|
| 47 | +## What Does a PR Look Like |
| 48 | +
|
| 49 | +Dependabot creates two separate PRs, one for production packages and one for |
| 50 | +development packages. |
| 51 | +
|
| 52 | + |
| 53 | +
|
| 54 | +In the description of each PR, it outlines which packages are updated, with |
| 55 | +links to the commits, release notes, and changelog, when available. |
| 56 | +
|
| 57 | + |
| 58 | +
|
| 59 | +After that, the PRs can follow your regular PR approval process of running tests |
| 60 | +and getting approvals before merging. |
0 commit comments