Dependabot and GitHub


There is a service in GitHub named Dependabot. It makes managing your dependencies extremely easy and is even easier to set up. You should do it now before the tech debt gets worse.

About Dependabot

Dependabot is an automated service, a robot, if you will, that will check for new versions of packages you depend on based on the type of packages (e.g. node packages hosted on npm’s registry) your project depends on.

The project is free to use now, and is rather safe to use given the project was integrated into GitHub.

Setting It Up In GitHub

Enabling Dependabot

To set it up for a given project, you need to go into GitHub, access a given project’s repository, click on the Settings tab for the repository, then, go into the nested Security & analysis page using the left-side navigation.

There, you will see an option for Dependabot alerts.

Enable that.

Enabling Dependabot Security Updates & the Dependency Graph

In the same place we enabled Dependabot, there are options named Dependabot security updates and Dependency graph.

Enable those too (the latter is enabled by default for public repositories).

Enabling Dependabot’s Automated Dependency Upgrades

Oh yeah, you best believe we are at the best part now!

At the top navigation for your repository, next to the Security tab you clicked earlier, is a tab for Insights.

Click that.

Then, in the left-side navigation, look for Dependency graph.

Click that as well.

Now, you should see three tabs, the last of which should contain Dependabot (and maybe a Beta callout).

Click that tab.

There will be a prompt letting you know that you need to create a configuration file in order for Dependabot to begin creating pulling requests on your behalf to upgrade dependencies as new versions are released.

It should have a prominent button that says Create config file.

You guessed it! Click that.

It will open a new file editor that seeks to create a GitHub configuration directory in your project, in which it will be creating a file named dependabot.yml. This file will already have some template text in it, including instructions on how to configure it for your project.

Follow those instructions.

And that is it! Congratulations, your project will be so much more maintainable and modern!