Blog 5 Sp21

Blog 5-SP21

THE ONE THE ONLY DEPENDABOT

I was actually in the process of researching a Github action, for publishing to Github Pages, when i stumbled up the Dependabot. I thought it was interesting and thought it wouldn’t hurt to include that in our project repo, and now I’m using it for a blog. Love it when things fall into place haha.

Anyways…

What do it do… also how, and why?

Well from what I’ve read and seen from other developers ( I am not claiming to be one lol), is that it essentially keeps your dependencies up to date. Which is actually quite a useful tool for developers. No longer having to “physically” update your package depencies, probably frees up more time for other things in the work day.

Dependabot in Github Actions has:

  • Nice Pull Requests These PR requests put my own to shame. They include release notes, changelogs and commit links whenever they’re available. They’ll also automatically keep themselves conflict-free. Which is pretty nifty.

  • Automated Security Notifications Wow it even automates security notifications for Ruby, JavaScript, PHP, Java, .NET, Python, Elixir and Rust. Pull Requests are automatically made in response to security advisories.

  • Compatility Scores Dependabot aggregates everyone’s test results into a compatibility score, so you can be certain a dependency update is backwards compatible and bug-free.

But really how does it work?

After enabling it in your repo, and made the .yml file in your .github/workflows, and connected your account to the Dependabot, it works immediately.

The bot, itself, starts by checking the configuration file in your repo. The configuration file specifies the location of the manifest, or of other package definition files, stored in your repository. Then checks for any outdated packages and apps. It then determines if there is a new version of a dependency by looking at the “semantic versioning (semver) of the dependency to decide whether it should update to that version”.

When Dependabot notices that something is outdated, it creates a pull request to update that dependency. From there it’s up to you to check that the tests pass, go over the changelog, and other notes included in the PR summary, then just merge it.

Pretty nifty tool ain’t it!

Written on April 1, 2021