Dependabot
This document outlines the best practices for using Dependabot at CRUK for JavaScript and TypeScript projects.
The following content is recommended.
Description
Dependabot is a tool that helps keep your dependencies up to date. It automatically checks for updates to the dependencies in your project and creates pull requests to update them. This ensures that your project uses the latest versions of its dependencies, which can include important security updates and bug fixes.
Rationale
Vulnerabilities often occur not in our code but in the projects and libraries we use. These third-party dependencies can introduce security risks if they are not regularly updated. By keeping dependencies up to date, we can mitigate these risks and ensure that our projects benefit from the latest security patches and improvements.
Using Dependabot helps automate this process, reducing the manual effort required to track and update dependencies. This is particularly important in large projects or when managing multiple repositories, where manually checking for updates can be time-consuming and error-prone.
Regularly updating dependencies also helps maintain compatibility with other tools and libraries, preventing potential issues that can arise from using outdated versions. It ensures that our projects remain stable, secure, and performant over time.
Using Dependabot
Configuration
To configure Dependabot in your repository, create a dependabot.yml file in the .github directory of your repository. This file defines the configuration for Dependabot, including which dependencies to check for updates and how often to check for updates.
Example
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
Managing Pull Requests
When Dependabot finds updates for your dependencies, it creates pull requests to update them. You can review these pull requests and merge them into your project.
Automerging
Dependabot can be configured to automatically merge pull requests for certain types of updates. This is particularly useful for teams managing multiple repositories.
Example
https://github.com/CRUKorg/adobe-mc-proxy-aws/blob/main/.github/workflows/dependabot-automerge.yml
This workflow automatically merges Dependabot pull requests that meet the criteria of passing all required status checks (which should include automated tests) and being minor or patch versions only.
This helps to keep dependencies up to date with minimal manual intervention and reduces the overhead of manually reviewing and merging dependency updates, allowing engineers to focus on more critical tasks.
Enabling auto-merge carries the risk of merging dependency updates that could potentially break your application. This risk is higher if updates have not been opened for each minor version, as Dependabot may treat it as a minor upgrade while actually skipping several versions from the last installed.
Only enable auto-merge if you have complete confidence in your application's testing suite, you run tests frequently in your integration environment, and you are prepared to revert merged commits if an update causes issues.
Security Updates
Dependabot can also help keep your project secure by checking for updates to dependencies with known vulnerabilities. When a vulnerability is found, Dependabot creates a pull request to update the affected dependency to a secure version.
To enable security updates, you need to enable the "Dependabot alerts" feature in your repository settings.
Updating Packages Manually
You can also update packages locally via npm. Check for newer versions of packages by running npm outdated. Review the change logs and choose which version to update to by updating the version number in package.json and running npm i. Alternatively, check for vulnerabilities with audit:
# see security issues:
npm audit
# attempt to fix security issues:
npm audit fix
This won't necessarily fix all issues and might inadvertently break deployments, so treat npm audit fix like manually updating npm packages. Update, then run tests and see if it deploys. Newer packages don't always mean more secure because there is always the risk of new issues, but it usually means older security issues have been fixed.