First I want to let you know I have a hard time keeping track of my projects dependencies, specially if it is something I don't update often, and it might be too late when I finally find out something I'm using is no longer supported, so I was glad to find out about GitHub's way of dealing with this.
Sometime ago, I learned about a few ways to check for updates on your dependencies, and from time to time I would remember to check it and update my stuff, but it wasn't enough for me, and it got old fast, too manual, until...
And even if this is not exactly new I don't think we use it enough!
Dependabot checks for dependency updates for many different package systems, such as NPM, Terraform and even GitHub Actions! Besides the range of this tool it can also:
- Open automatic Pull Requests with the updates;
- Ask for specific reviewers;
- Run as often as you want, daily, weekly, and so on;
- Tag the Pull Request it opens as you like;
- Be configured with a file inside the repository itself;
- Show you changelogs for every single update it finds;
- Check dependencies inside specific directories;
- Check dependencies for multiple technologies inside the same repository;
To configure Dependabot the way you want it to work inside your repositories all you have to do is add a file called
dependabot.yml inside the directory
.github on the root of your repository.
A simple version of the file to keep track of your GitHub Actions dependencies with daily checks could look like this:
- package-ecosystem: "github-actions"
And that's about it! It is already set and ready to start helping you.
If you want to know more about the launching of this tool, check the original post by GitHub:
To learn about
dependabot.yml check the official syntax guide:
Also here's an example of mine on how
dependabot.yml looks like inside a repository:
Finally there's also a list for supported package ecosystems: