How to use Dependabot on Github
Keeping your dependencies up to date can be a challenging task. There are a few good tools on the market that can help you with a given type of environment like OWASP Dependency-Check Project, which supports Ant, Maven, sbt, Gradle-based projects, or Scala Steward if you’re using only plain Scala in your project. There is also Snyk, which supports a vast number of languages and build tools, yet it’s a paid tool for non-OSS projects. And, finally, there is Dependabot, recently acquired by Github and available free-of-charge once you host your repos on Github.
How to start
Firstly, you must have a project on Github already set. Also, it would be good to configure a test pipeline using Github Actions. I will use an example NodeJS-based project as it is easy to configure a simple pipeline and NodeJS is one of the environments supported by Dependabot.
Having a project ready, you must create a YAML file under the .github/workflows/
folder, let’s call it ci.yaml
with basic content:
name: CI
on:
pull_request:
push:
branches:
- main
concurrency: build
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set up NodeJS
uses: actions/setup-node@v3.1.1
with:
node-version: '17'
- name: Test
run: |
npm install
npm run build
npm run test
As you can see, there is nothing strange in this file, I’m just checking out the code, setting up Node environment and then running the tests. All of these are already available actions in the Marketplace.
Setting up Dependabot
Adding Dependabot is really straightforward. You just need to create another YAML file with easy-to-grasp config, this time the name matters and it must be dependabot.yml created under the .github/
folder:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
I think there is nothing to explain here — I want to have npm-related updates to be provided on a daily basis and that’s all. After pushing these changes into Github, Dependabot will be activated and it will start submitting PRs with any outdated dependency based on my package.json
file.
There is more
As I configured a basic test pipeline using Github Actions it would be good to keep those actions up to date as well. Github Actions are also versioned and upgraded during the time the project lasts, there are fixes or adjustments to Github API and so on. Following the changes is a good practice.
To monitor outdated actions I must add another section to the dependabot.yaml
file:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
And done! Yet again, there is nothing complicated here, another section covers github-actions that should be checked on weekly basis. Dependabot will create another PR if any of the used actions is outdated.
All those PRs will be tested using the pipeline I just added at the beginning, so I’m safe to approve them once tests have passed.
There is even more
Here be dragons … let’s assume that my project is built as a Docker image deployed to a Container Registry (GCR or ECR). As you may know, images can also be outdated and can contain vulnerable code, so it would be good to update them and test the app on the new version. And again, this is very easy task when using Dependabot, but first, I must add a proper test pipeline to launch my tests inside the Docker image.
Here is my example Dockerfile
to start the app:
FROM node:16.13.0-alpine
USER root
WORKDIR /app
COPY package*.json ./
COPY src ./src
COPY tsconfig.json ./
RUN npm install
CMD [ "npm", "start" ]
As I’m copying the whole source code into the image, I can also start tests inside the image (in a real-life project, you should rather use multi-stage builds instead), let me extend my test pipeline:
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Set up NodeJS
uses: actions/setup-node@v3.1.1
with:
node-version: '17'
- name: Test
run: |
npm install
npm run build
npm run test
- name: Build docker image
run: docker build -t local .
- name: Run tests on Docker
run: |
docker run -t -v $PWD:/srv -w /srv local \
npm install && npm run build && npm run test
So I’m building a new docker image tagged local and then I’m running my tests inside the newly built image. Having done that, I can configure Dependabot to keep the image up to date and test my app using the new image. To do this, I must add yet another section to dependabot.yaml
:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
I assume I don’t have to explain this :)
Summary
Keeping your project up to date is part of your duty, you are responsible for your project and the code you deliver. Using Dependabot to help you with these boring tasks can be very easy. I hope you grasp the idea of how you can easily automate testing all the changes and even upgrading Docker image won’t be that hard.