Contents

How to use Dependabot on Github

Łukasz Lenart

27 May 2022.4 minutes read

How to use Dependabot on Github webp image

Keeping your dependencies up to date can be a challenging task. There are a few good tools on the market that can help you with a given type of environment like OWASP Dependency-Check Project, which supports Ant, Maven, sbt, Gradle-based projects, or Scala Steward if you’re using only plain Scala in your project. There is also Snyk, which supports a vast number of languages and build tools, yet it’s a paid tool for non-OSS projects. And, finally, there is Dependabot, recently acquired by Github and available free-of-charge once you host your repos on Github.

How to start

Firstly, you must have a project on Github already set. Also, it would be good to configure a test pipeline using Github Actions. I will use an example NodeJS-based project as it is easy to configure a simple pipeline and NodeJS is one of the environments supported by Dependabot.

Having a project ready, you must create a YAML file under the .github/workflows/ folder, let’s call it ci.yaml with basic content:

name: CI
on:
  pull_request:
  push:
    branches:
      - main

concurrency: build

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Set up NodeJS
        uses: actions/setup-node@v3.1.1
        with:
          node-version: '17'
      - name: Test
        run: |
          npm install
          npm run build
          npm run test

As you can see, there is nothing strange in this file, I’m just checking out the code, setting up Node environment and then running the tests. All of these are already available actions in the Marketplace.

Setting up Dependabot

Adding Dependabot is really straightforward. You just need to create another YAML file with easy-to-grasp config, this time the name matters and it must be dependabot.yml created under the .github/ folder:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

I think there is nothing to explain here — I want to have npm-related updates to be provided on a daily basis and that’s all. After pushing these changes into Github, Dependabot will be activated and it will start submitting PRs with any outdated dependency based on my package.json file.

There is more

As I configured a basic test pipeline using Github Actions it would be good to keep those actions up to date as well. Github Actions are also versioned and upgraded during the time the project lasts, there are fixes or adjustments to Github API and so on. Following the changes is a good practice.

To monitor outdated actions I must add another section to the dependabot.yaml file:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"

And done! Yet again, there is nothing complicated here, another section covers github-actions that should be checked on weekly basis. Dependabot will create another PR if any of the used actions is outdated.

All those PRs will be tested using the pipeline I just added at the beginning, so I’m safe to approve them once tests have passed.

There is even more

Here be dragons … let’s assume that my project is built as a Docker image deployed to a Container Registry (GCR or ECR). As you may know, images can also be outdated and can contain vulnerable code, so it would be good to update them and test the app on the new version. And again, this is very easy task when using Dependabot, but first, I must add a proper test pipeline to launch my tests inside the Docker image.

Here is my example Dockerfile to start the app:

FROM node:16.13.0-alpine

USER root
WORKDIR /app

COPY package*.json ./
COPY src ./src
COPY tsconfig.json ./

RUN npm install

CMD [ "npm", "start" ]

As I’m copying the whole source code into the image, I can also start tests inside the image (in a real-life project, you should rather use multi-stage builds instead), let me extend my test pipeline:

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Set up NodeJS
        uses: actions/setup-node@v3.1.1
        with:
          node-version: '17'
      - name: Test
        run: |
          npm install
          npm run build
          npm run test
      - name: Build docker image
        run: docker build -t local .
      - name: Run tests on Docker
        run: |
          docker run -t -v $PWD:/srv -w /srv local \
            npm install && npm run build && npm run test

So I’m building a new docker image tagged local and then I’m running my tests inside the newly built image. Having done that, I can configure Dependabot to keep the image up to date and test my app using the new image. To do this, I must add yet another section to dependabot.yaml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "daily"
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

I assume I don’t have to explain this :)

Summary

Keeping your project up to date is part of your duty, you are responsible for your project and the code you deliver. Using Dependabot to help you with these boring tasks can be very easy. I hope you grasp the idea of how you can easily automate testing all the changes and even upgrading Docker image won’t be that hard.

Blog Comments powered by Disqus.