
Automate GitHub Dependency Updates with Dependabot - bolajiayodeji
https://bolajiayodeji.com/automate-github-dependency-updates-with-dependabot-ck4u3kd2d00hktjs1llbiuf8d
======
capableweb
This whole "automate your dependency updates" is gonna bit people in the ass
sooner or later. No one except a few select I know, actually review their
dependency changes. Most basically have some sort of automated flow where each
update becomes a pull-request, and if passes the tests, the person merges it.

Or they do "once every X" full updates of everything, and if the tests pass,
they merge it.

Wonder if we soon will have a service you simply connect to your repository
and now this is fully automatic, with the commit to master happening
automatically if the tests pass?

~~~
myroon5
Dependabot can be configured to automatically commit to master if the tests
pass

~~~
karlding
The point that the parent commenter is highlighting is that if somehow a
malicious package version is introduced, since nobody actually is auditing the
changes that are being pulled in, it is possible for the tests to pass and
introduce a security vulnerability. They're suggesting that the contents of
the actual diff in the packages should be reviewed.

------
jakear
Discussion from last week where dependabot was proposed as a solution to the
issue of third party contributors sneaking exploits into package-lock changes:
[https://news.ycombinator.com/item?id=21886914](https://news.ycombinator.com/item?id=21886914)

My stance is still "if there's no CVE, and your application works, why go
around introducing changes to the environment you're running it in?"

~~~
palijer
Doing gradual smaller changes over time and reducing the delta removes the
risk of having to update everything at once down the road. We use dependabot
to prevent our services from becoming the legacy issues that no one wants to
touch.

We'd rather fix small issues continuously than have giant overhauls when a
bunch of packages need to get updated because we weren't staying on top of it.

I think about it like a CD pipeline for dep updates. Less risk if you ship
smaller amounts of code.

------
est31
I'm a Rust developer and I see some projects using Dependabot. The reason why
I'm not adopting it for the projects I maintain is as follows:

* In library projects, many Dependabot PRs are just increasing the patch version of the library. Unless they require new features added in the new version, I think libraries shouldn't do this. This does actually more harm than good because sometimes, downstream might not want to update the patch version of a dependency but might want to update your library. The only argument in favour is that you might miss it if your library requires a new version, but in general, libraries should strive to require a larger range of versions. A hammer is only more useful if it works with nails bought 30 years ago.

* In application projects, I prefer doing dependency updates in bulk rather than as soon as possible: Replacing a dependency high in the tree causes all its dependents to be rebuilt, which causes CPU overhead for everyone who is building my code: Sometimes you need to rebase a PR and you shouldn't have to wait for the dependencies to compile because master branch had to do some update. Similarly, when you bisect some regression it's annoying if you have to rebuild the dependencies of the project on every bisection step. Thus I'm generally waiting to do dependency updates (cargo update as well as semver-noncompliant version updates) once per month. It's no strict rule but still a rule. Exceptions are e.g. when a dependency fixes a bug that affects my code or when a dependency update requires nontrivial work. I rather do that sooner before it bitrots.

------
orkj
For those looking for automated dependency updates for php (composer), but
with gitlab (self hosted or with gitlab.com) or bitbucket, there is also
violinist.io.

Full disclosure: I am the founder

------
11235813213455
I've found dependabot as quite spammy recently
[https://github.com/kkostov/react-calendar-
icon/pulls](https://github.com/kkostov/react-calendar-icon/pulls)

Btw, an easy way to update libs (besides `npm update` which updates
minor/patch versions) is `npx salita -u`

~~~
solidasparagus
We run dependabot on a different fork and then merge periodically to reduce
noise

------
oweiler
Automatic dependency updates for Maven projects, currently GitLab only,
implemented as a Maven Plugin.

[https://github.com/helpermethod/dependency-update-maven-
plug...](https://github.com/helpermethod/dependency-update-maven-plugin)

