The savior amidst the chaos of dependency updates - Dependabot

4 min read

I briefly touched on Dependabot in , but now it's time to dive deeper into the topic.

So, you have a list of . Sometimes it's short, sometimes it's a mile long.

But the big question is, how do you keep those dependencies up-to-date?

Sure, that's one approach, reacting to warnings that pop up post-install.

But this mainly applies to security updates.

What about regular dependency updates, like bumping from a patch version to a minor version, or from a minor version to a major version, without security concerns?

Enter Dependabot

Here's what that might look like:

# {root}/.github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
  directory: "/"
  schedule:
    interval: "weekly"

Pretty straightforward, right?

Now, you might wonder: "Okay, automated pull requests sound great, but what if we have tons of dependencies? Will it flood our repo with individual pull requests for each one?"

So, am I suggesting that every project gets bombarded with a barrage of pull requests on a weekly (or whatever interval you set) basis for every single dependency update?

But here's the game-changer:

Group updates

It allows you to group sets of dependencies (by package manager) so that Dependabot can open a single pull request to update multiple dependencies simultaneously.

# {root}/.github/dependabot.yml
version: 2
registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries: [github]
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "10:35"
      timezone: "Europe/Warsaw"
    groups:
      exile-watch-build-tools:
        patterns:
          - "@exile-watch/biome-config"
          - "@exile-watch/conventional-changelog-config"
          - "@exile-watch/lefthook-config"
          - "@exile-watch/postcss-config"
          - "@exile-watch/rollup-config"
          - "@exile-watch/typescript-config"
      exile-watch-design-system:
        patterns:
          - "@exile-watch/writ-icons"
          - "@exile-watch/writ-react"
      exile-watch-data:
        patterns:
          - "@exile-watch/encounter-data"

You might notice the registries field:

registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}

By default, when using the npm registry, there's no need to specify the registry.

# {root}/.github/dependabot.yml
version: 2
registries:
  github:
    type: npm-registry
    url: https://npm.pkg.github.com
    token: ${{ secrets.GH_TOKEN }}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    registries: [github]
    schedule:
      interval: "weekly"
      day: "saturday"
      time: "10:35"
      timezone: "Europe/Warsaw"
    groups:
      exile-watch:
        patterns:
          - "@exile-watch*"
      rollup-config-deps:
        patterns:
          - "@rollup*"
      lefthook-config-deps:
        patterns:
          - "@commitlint*"
          - "commitizen"
          - "lefthook"
          - "cz-conventional-changelog"
      unit-testing-config-deps:
        patterns:
          - "@testing-library*"
          - "vite-tsconfig-paths"
          - "vitest"

With this approach, managing our dependencies suddenly feels like a walk in the park, and the once daunting architecture, brimming with countless dependencies, doesn't seem so scary anymore :).

PreviousWhy doesn't Dependabot update package.json?NextWhy project's local setup instructions are not part of README?

Last updated 1 year ago

Was this helpful?

The savior amidst the chaos of dependency updates - Dependabot

Enter Dependabot

Group updates

Enter Dependabot

Enabling the budget

Group updates

Enabling the budget