The Ops Community ⚙️

Cover image for How I Keep my Dependencies Updated on GitHub
Leonardo Rodrigues de Oliveira
Leonardo Rodrigues de Oliveira

Posted on

How I Keep my Dependencies Updated on GitHub

First I want to let you know I have a hard time keeping track of my projects dependencies, specially if it is something I don't update often, and it might be too late when I finally find out something I'm using is no longer supported, so I was glad to find out about GitHub's way of dealing with this.

Sometime ago, I learned about a few ways to check for updates on your dependencies, and from time to time I would remember to check it and update my stuff, but it wasn't enough for me, and it got old fast, too manual, until...

Dependabot's Anouncement

And even if this is not exactly new I don't think we use it enough!

Dependabot checks for dependency updates for many different package systems, such as NPM, Terraform and even GitHub Actions! Besides the range of this tool it can also:

  • Open automatic Pull Requests with the updates;
  • Ask for specific reviewers;
  • Run as often as you want, daily, weekly, and so on;
  • Tag the Pull Request it opens as you like;
  • Be configured with a file inside the repository itself;
  • Show you changelogs for every single update it finds;
  • Check dependencies inside specific directories;
  • Check dependencies for multiple technologies inside the same repository;

Setting up

To configure Dependabot the way you want it to work inside your repositories all you have to do is add a file called dependabot.yml inside the directory .github on the root of your repository.

A simple version of the file to keep track of your GitHub Actions dependencies with daily checks could look like this:

version: 2

  - package-ecosystem: "github-actions"
    directory: "/"
      interval: "daily"

Enter fullscreen mode Exit fullscreen mode

And that's about it! It is already set and ready to start helping you.


If you want to know more about the launching of this tool, check the original post by GitHub:
Dependabot's Announcement

To learn about dependabot.yml check the official syntax guide:
dependabot.yml syntax

Also here's an example of mine on how dependabot.yml looks like inside a repository:
dependabot.yml example

Finally there's also a list for supported package ecosystems:
Packages Support

More Content

If this article helped you or someone you know and you want to know more of these useful tools or tips for your IaC needs, follow me on LinkedIn, here or on GitHub and don't miss my updates!

Top comments (1)

melissakaulfuss profile image
Mel Kaulfuß 👩🏻‍🦰💻✌️

Dependabot is a game changer - so important to keep your dependencies up to date. Every other week there's a CVE announced! 😖