Keeping project dependencies up to date is always a challenge in the companies that I worked for (and I guess in yours as well). Usually, after we build the functionality, we rarely go to the dependency repository to check new versions and update them.
I can say for me, I only see that happening when people saw that the new version had some new cool feature or when some security scans pointed out that the version that we were using had some kind of vulnerability.
This approach has a few drawbacks, the big one being that if we don’t update (small updates) frequently when we update, the changes accumulate making it more difficult to do the upgrade. Other drawbacks are manual work checking the dependencies, being reactive in fixing security warnings, etc.
A better approach in my view is to have the dependencies updated as frequently as possible as with small changes, it becomes easier to update and check the potential problems. I also love automation, so I believe we should automate as much as possible.
And that’s where dependabot gets into the picture. Around 7 months ago, a coworker mentioned dependabot. Reding the docs, I got hooked up.
Dependabot’s function is to help us keep the services’s dependencies up to date. It basically analyzes all the service dependencies and checks if there’s a new version. If there are new versions, it creates merge requests to update the specific libraries. It is important to mention that it only creates the MR, but it is up to the developers and service owners to analyze and merge the MRs.
As we use Gitlab, we don’t have the “native” dependabot as GitHub has, but fortunately, we have the great work of andrejs who created a GitLab version of the dependabot using the core from GitHub. You can check his GitLab depedabot here. Basically, he has Helm chart that you can install and set up your Gitlab repositories.
After that, you have to add a YAML file to the repositories that you want to check for dependency updates and register that repository with Dependbot. After that, on the schedule defined by you in the YAML file, you will get MRs with dependency updates.
You can check the documentation for more details.
Probably in the beginning you are gonna get bombarded with a lot of merge requests as probably most of your dependencies are gonna be not up to date. We got a lot. Some were just minor updates but some were major version upgrades that we were like 6 versions behind.
It has been 7 months that we have been running dependabot and currently, we have it monitoring 35 repositories and we merged more than 1500 Merge Requests with dependency updates. You read that right, a THOUSAND and HALF merge request created by dependabot.
If we consider that a dev would take 10 minutes to open each MR, dependabot saved more than 250 hours (>30 business days) of tedious work and freed us to do more fun and productive things.
It also helps us to merge vulnerability fixes as they are published, and not only when we get an alert for the monitoring tools.
Happy updating!