GitHub acquired Dependabot and made it free so we tried it out. The results were better than expected.
We have long been advocates for consistent software maintenance. It might seem obvious, but software simply must be maintained and kept up to date with its dependencies or it risks atrophying until it becomes an unmaintainable pile of trash. Dependabot is an excellent tool for preventing software decay.
GitHub, now owned and backed by Microsoft, the richest public company in the world, has been on a bit of a streak recently, innovating with features such as Actions, Sponsors, and a Package Registry. More recently, they announced the acquisition of Dependabot, a tool that automatically monitors and upgrades your software dependencies. As part of the acquisition, GitHub has made Dependabot free, even for private repositories. (Hopefully this is a permanent change and not a bait and switch.)
Here at Nimble Industries, we innovate and try new products and ideas regularly, and therefore have quite a few private repos hosted on GitHub, mostly Rails apps, such as StatusGator. And although we try to keep up to date with our dependencies, it can be a challenge and so we were eager to try out Dependabot.
Setup and installation is simple: a quick sign up with GitHub OAuth was all that was required, along with a grant to read and write code in our repositories. Knowing that Dependabot is now owned by GitHub itself makes granting that permission a little easier. Dependabot automatically detects what language and dependency management system you’re using, which was Ruby and RubyGems for us. They support many more.
Immediately after installing, Dependabot opened 5 PRs for our repository, proposing bumps to a number of crusty, out of dates gems. Each PR upgrades just one dependency at a time, a valuable distinction that makes testing (and reverting if necessary) very simple. Dependabot limits the PRs to 5 at a time so as not to overwhelm you. It checks each day and opens new ones after you’ve merged or closed some.
If you have a good test suite and highly automated CI, this is when you will be rewarded for it. For each PR, you can clearly see the passing (or failing) test suite in GitHub. If you’re confident in the coverage of your tests, simply merge and move on. If you need extra confidence, you can pull the branch and test locally. Dependabot uses very consistent branch names, for example:
dependabot/bundler/twilio-ruby-5.23.0 when updating the
For an even smoother setup, consider using Heroku Review Apps, or your deployment platform’s equivalent. With Review Apps configured in StatusGator, we can quickly and easily launch a temporary instance of each of Dependabot’s dependency bump PRs. There, we can test thoroughly, amend the branch with additional commits to fix breaking changes, and eventually merge, shutting down the instance automatically.
Our experience was that most of the gems were updated without consequence and merged without intervention. A few gems which were very out of date, caused breaking changes which were caught by our test suite and some manual testing. For these, we simply checked out the branch locally, add some commits, pushed them to Dependabot’s branch, waited for CI to pass, and then merged.
Dependabot supports a number of commands that are slickly integrated into GitHub comments. The most useful commands we found were:
@dependabot rebase will rebase the PR
@dependabot merge will merge this PR after your CI passes on it
@dependabot ignore this [patch|minor|major] version will close the PR and stop Dependabot from creating any more
Whenever you use these commands, Dependabot comments with a thumbs up emoji ?to acknowledge receipt. The integration is smooth and works consistently as expected.
Overall, the Dependabot is an amazing addition to GitHub and something that will save us time and energy. We hope that GitHub will continue to invest in Dependabot, pursuing more advanced integration. Perhaps some machine learning could be used to determine the kinds of edits humans are making when fixing breaking changes. Since those edits are pushed to the Dependabot branches, could GitHub run static analysis on the code, find those breaking changes, and incorporate the updates themselves? Time will tell. We are excited with this first step at automating dependency upgrades with Dependabot.