How to Automate Dependency Updates with GitHub Dependabot

In our previous post, we looked at Renovate, a free tool that helps you automatically manage updates of third-party dependencies. In this post, we’ll look at a similar tool called Dependabot from GitHub.

Like Renovate, Dependabot supports many programming languages and their respective package managers to automate dependency updating in Ruby, JavaScript, Python, PHP, Elixir, Elm, Go, Rust, Java, and .NET. Dependabot is also free, provided your code repository is on GitHub.

If you missed our first post on automating dependency updates and securing your site or application, please check it out! It contains a lot of information about why automating dependency updates is important. Like we did in that post, in this one we’ll demonstrate how to run dependency updates for Drupal, NPM (NodeJS), and Docker.

Getting Started

Setting up Dependabot for GitHub is simple. There are no prerequisites or services to configure outside of your repository. Under the “Settings” tab of a repository, click on the “Code security and analysis” link in the sub-navigation on the left. If you cannot see this section, you need more permissions on the repository and should contact your repository admin(s) for access.

On this screen, there are a few toggles that can get you started with Dependabot immediately. First, you can enable Dependabot alerts to notify team members when updates are available. It will also enable you to generate pull requests for vulnerabilities that it finds. This is the first useful step with Dependabot because at a minimum you can receive notifications of security vulnerabilities within your application stack.

The second toggle enables the automatic security updates feature of Dependabot. When it’s active, Dependabot will automatically attempt to resolve security vulnerabilities in dependencies it detects in your package manager lock files. It will also open automated pull requests that keep your dependencies updated, even when they do not have any vulnerabilities. This ensures bug fixes, feature releases, and other non-critical updates are also installed.

Enabling Dependabot security updates is the best option if you want to use Dependabot as soon as possible. This will help you resolve either security updates or regular updates automatically with no further action from you or your team. Unlike Renovate, you can enable these two features of Dependabot, and get automated updates rolling for an average project. Really—you can pause reading here and do it right now!

The third option will give you some boilerplate to tell Dependabot how to act. This is useful if you want to configure how, where, what, and when updates are fetched and treated.

Configuring dependabot.yml

To give Dependabot some instructions, you must supply a file in your repository for Dependabot to read from.

At the root of your project, create a .github directory (note the leading dot in front of github). Inside, create a dependabot.yml file. The dependabot.yml file is where your instructions are stored for package managers on how to handle updates, like the renovate.json file for Renovate.

Here is a basic example for Dependabot that will run once a day and check for any dependency updates for Composer, the PHP package manager:

version: 2 
 
updates: 
  - package-ecosystem: "composer" 
      directory: "/" 
      versioning-strategy: increase-if-necessary 
      commit-message: 
         prefix: "Composer" 
         include: "scope" 
      schedule: 
         interval: "daily" 

With just this small amount of configuration, Dependabot will start opening pull requests daily for any dependency in your composer.lock file that has a release. This is roughly equivalent to what we had in Renovate if you recall.

{ 
      "managers": ["composer"], 
      "matchPackagePatterns": ["^drupal/"], 
      "rangeStrategy": "update-lockfile", 
      "groupName": "Composer dependencies" 
    }, 

After committing the file to the repository, when Dependabot runs, it will start creating pull requests for new updates:

Dependabot supports a lot more configuration options, though. You can change which branch has the pull requests made against them, and assign a reviewer who must approve the change:

      target-branch: "develop" 
    reviewers: 
      - person_one 
      - person_two  

Like Renovate, you can also limit exactly what is updated. If you only want to have updates for Drupal core and nothing else with Composer, you can specify that:

   allow: 
      # Allow updates for Drupal core only 
      - dependency-name: "drupal/core-*" 

Finally, you can also schedule when Dependabot should check for updates. For example, if you wanted to run Dependabot daily at 8 a.m. EST for npm packages:

updates: 
  - package-ecosystem: "npm" 
    directory: "/" 
    schedule: 
      interval: "daily" 
      time: "08:00" 
      timezone: "America/New_York" 

See all the available configuration options for Dependabot.

Which Tool is Right for You?

Velir uses both Dependabot and Renovate on our projects depending on what we need or where client repositories are hosted.

Dependabot is only available if you have a repository with GitHub. Renovate, however, can be used for GitHub, GitLab, Bitbucket, Azure, and Gitea. While most of our clients are on GitHub, we do have a percentage in GitLab, Azure, and Bitbucket where we turn to Renovate to solve our needs. I am also using Renovate to keep my own site updated since I use GitLab.

If you are on GitHub, Dependabot is very easy to set up. The default settings and boilerplate configuration file it provides are usually good enough to cover most average project setups without tweaking. You don’t need to be super technical to set it up, so organizations that lack an agency or have a strapped internal IT (Information Technology) department can put it to work right away.

Since Dependabot is geared specifically for GitHub, its options and configurations pale in comparison to Renovate. For teams who need to wield a lot more control over their update process and who have technical expertise, Renovate may be a more suitable choice, especially since you can create a global template and extend it on a repository-by-repository basis.

While both tools support a large list of platforms and package managers, there is one thing that Dependabot does not work with—docker-compose. If your project stack relies on docker-compose instead of Dockerfile(s), Dependabot has no support for crawling a docker-compose file and grabbing the latest Docker images as an update. Renovate can do both Dockerfile and docker-compose files, as we showed you in our post on Renovate. There is an outstanding issue requesting support for this in Dependabot but it’s still unsupported.

Additionally, Dependabot doesn’t support user-defined versioning schemes. Meaning if you wanted to change how it treated updates like we demonstrated for Docker, you cannot.

Having said that, Dependabot is still a great tool and we put it to good use at Velir!

Automating and Accelerating Dependency Updates

Keeping dependencies up to date and secure can be a monumental undertaking. But leveraging tools like Dependabot and Renovate, allows you to ease the process and accelerate it across several projects at once with fewer resources. Dependabot lets you get started with automating your updates quickly but Renovate allows much more customization. Both are great tools that we use to automate dependency updates for our clients. Which one we choose depends on the client and their specific needs.

If you’re interested in learning how you can create secure automated updates for Drupal, Sitecore, Adobe AEM, or various frontend stacks, contact us. We’re happy to help you configure them, or manage your automated updates ourselves.