Taming Dependabot

Overview

In this lesson, we'll discuss how the author worked with Dependabot during their career and go through some key points of working with it.

Author's words about Dependabot

Author's Note

When I started developing in Delphi, the number of dependencies taken on was significantly lower and slower moving than modern JavaScript development. Back then, a project would typically have one or two custom libraries added to the Visual Component Library (VCL), and everything else was custom-built. These libraries may have been updated every year but could typically be left alone for two or three years. It was fairly straightforward to keep them up-to-date, provided that the supplier stayed in business. 

Contrast the anecdote above to a Node application—built with the React Starter Kit—which has over 2000 node modules as dependencies. These are continually being updated, and new versions are being released frequently. Keeping on top of the security fixes and general updates can be overwhelming. 

This is where Dependabot comes in. Grant Dependabot access to your Git Repository allows it to raise pull requests. It will even merge them for you automatically if you have a suitable build server attached (and the build passes, of course).

Working with Dependabot

Dependabot is also good at working with Jenkins provided that Jenkinsfiles is used along with it. Sometimes, you may have too many repositories, and it would take too much time to move all your projects over to Jenkinsfiles. In that case, a useful solution is to add a small Jenkinsfile to the project that just runs the unit tests (or as many tests as you can fit). There's a risk that the tests will diverge, but having some tests that run as part of the Dependabot permits automatic merging.