Another cheat sheet for Dependabot

spO0q 🐒🎃 - Apr 8 '22 - - Dev Community

Basic concepts

What is Dependabot?

Dependabot automates dependencies management and supply chain security for free.

With a simple dependabot.yml file in your repository and a few lines inside, you can automatically raise pull requests to keep your dependencies up-to-date.

This is major in terms of security, as supply chain attacks are rising these days.

Is it only for GitHub?

Yes. Microsoft (GitHub) acquired the company some time ago.

What is GitHub Advisory Database?

It's the main database that Dependabot uses to learn about security vulnerabilities.

How can I enable Dependabot?

Go to YOUR_REPO/settings/security_analysis. You get a dedicated page "Code security and analysis" where you can enable Dependabot's features.

Where do I put the configuration file?

On GitHub, you can create the file here: /.github/dependabot.yml.

Getting started with dependabot.yml

Here is a very basic example to handle npm dependencies:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

Don't forget the version parameter!

Is it for public packages only?

No. You can add a registries section containing authentication details to the dependabot.yml file:

version: 2
registries:
    npm-npmjs:
        type: npm-registry
        url: https://registry.npmjs.org
        username: my_username
        password: ${{secrets.MY_NPM_PASSWORD}}
updates:
  - package-ecosystem: "npm" # could be "bundler", pip", "docker", "composer", etc @see https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem
    directory: "/"
    schedule:
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

Schedule interval

The schedule interval is a required setting and probably one of the most critical ones as it determines the cycle of updates and PRs.

I really appreciate the possibility to delay updates because you don't have infinite time to allocate to each repository. There are different options:

  • daily
  • weekly
  • monthly

You can add schedule.day if you choose weekly to start the cycle on some day other than Monday:

    schedule:
      interval: "weekly"
      day: "friday"
Enter fullscreen mode Exit fullscreen mode

You can even add a specific time:

    schedule:
      interval: "weekly"
      day: "friday"
      time: "10:01" #10:01am UTC
Enter fullscreen mode Exit fullscreen mode

If you don't want to use UTC, you can specify a timezone:

    schedule:
      interval: "weekly"
      day: "friday"
      time: "10:01"
      timezone: "Europe/Vatican"
Enter fullscreen mode Exit fullscreen mode

Custom labels

The default label for all PRs is "dependencies" by default, but you might want to customize that, especially when you handle multiple packages ecosystems:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "docker-dependencies"
Enter fullscreen mode Exit fullscreen mode

It's also great to keep things organized. Note that you can use several labels for each package ecosystem.

Target branches

You can use the target-branch parameter to prevent Dependabot from raising PRs only on the default branch. Note that you can add a custom branch per each package ecosystem:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
    target-branch: "trunk"
Enter fullscreen mode Exit fullscreen mode

Available packages ecosystems

Go there

Helpful commands

Command Description
@dependabot cancel merge cancel a merge
@dependabot close close the PR and Dependabot will not recreate the same PR
@dependabot ignore close the PR and stop depdendabot on this repository
@dependabot ignore this major version close the PR and Dependabot will not recreate PRs for this major version
@dependabot ignore this minor version close the PR and Dependabot will not recreate PRs for this minor version
@dependabot merge merge the pull after CI tests
@dependabot rebase rebase the PR
@dependabot recreate force recreate the PR
@dependabot reopen reopen the closed PR
@dependabot squash and merge squash and merge after CI tests

You can "talk" with the bot by commenting the PR with special commands, which can save a lot of time. For example, I often use the @dependabot rebase command to resolve merge conflicts between several PRs that update the same dependencies.

It's quite often enough to proceed!

Things to know and errors to avoid

Dependabot is fantastic but be aware of potential mistakes:

  • Don't merge PRs blindly, as you might break your app
  • Add a CI server whenever you can, especially for live production apps
  • Dependabot does not automatically warn of absolutely everything, keep some monitoring
  • Enabling Dependabot grants read-only permission to GitHub for analysis purpose
  • Dependabot may have some issues when trying to read your dependency file, so check it carefully
  • PRs' reviews should be done by several members of the team, not just one person
  • Remove unused dependencies

More advanced usages

Dependabot is pretty straightforward but you might need more advanced usages.

open-pull-requests-limit

By default, Dependabot cannot open more than 5 PRs at the same time, but you can change this setting per each package ecosystem:

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 12
Enter fullscreen mode Exit fullscreen mode

How to disable PRs for a specific package ecosystem

You may set the open pull requests limit to 0:

updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    labels: "npm-dependencies"
    open-pull-requests-limit: 0 # 0 will disable PRs
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    labels:
      - "docker-dependencies"
    open-pull-requests-limit: 12
Enter fullscreen mode Exit fullscreen mode

Auto merges

It's possible to connect Dependabot to scheduled actions for automatic merges. While it's not something I would recommend, you might beg to differ. Here's a nice introduction.

versioning-strategy

The versioning-strategy parameter can be helpful to change the default strategy according to the package manager.

For example, you might want to increase the version with Composer dependencies only when it's required. In such case, you can do:

version: 2
updates:
  - package-ecosystem: "composer"
    directory: "/"
    schedule:
      interval: "weekly"
    versioning-strategy: increase-if-necessary
Enter fullscreen mode Exit fullscreen mode

Dependency Graph

Go to YOUR_REPO/network/dependencies to get an overview of all your dependencies. There's even a tab called "Dependents" where you can list repositories that depend on your repository.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .