Keeping Software Dependencies Up to Date with Dependabot
Lately, I’ve picked up a side project that I’ve been meaning to do for a long time, replace an application I wrote in Perl to Golang (yeah I know…Perl!). As my codebase grew, my usage of 3rd party libraries did likewise.
At first, I would use VSCode and check for updates from the go.mod file and update them every so often. This is an approach that works fairly well when you are actively developing a solution. But once it goes into operation and stable mode, an application often falls behind on keeping dependencies up to date. Keeping software up to date, just like operating system patches, addresses security vulnerabilities, bugs, and performance improvements.
I was poking around GitHub capabilities to see what stats I could get for my project (sheer curiosity) and noticed the tab “Security” → “Code security and analysis”. One of the options to maintain security in your project / repositories is to use Dependabot. Dependabot is a GitHub Action that runs on schedule to check your dependencies against upstream sources. Should it find newer versions, it can submit a pull request against your project!
Dependabot is capable of managing 3rd party dependencies for most programming language. It’s configuration is a simple YAML with around 5 lines of configuration. The outcome is a YAML file in .github/dependabot.yml.
Below is the configuration for my golang project:
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updatesversion: 2
updates:
- package-ecosystem: "gomod" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "weekly"
Below is a sample Pull Request email which contains useful information about the changes from the dependency
This action takes care of a simple chore and does it very well. Combine this with automated testing and release and you have software that “maintains itself”.
