Today, we’re launching Dependabot — a dependable robot who’ll keep your dependencies up-to-date for you. Here’s how it works.
Dependa-what?
Dependabot is a GitHub app that automates dependency updates.
Every day, Dependabot pulls down your dependency files and looks for any outdated requirements. If any of your dependencies are out-of-date, Dependabot opens individual pull requests to bump each one. All you need to do is check your tests pass, scan the included changelog and release notes, and make a call on hitting merge or skipping the new version.
Currently Dependabot supports Ruby and Javascript (Yarn), with support for PHP and npm5 coming very soon.
Dependa-why?
We’ve blogged in detail about why you should keep your dependencies up-to-date, including analysing 10 years of Rubysec vulnerability data. The TL;DR is:
- Staying up-to-date is the most secure strategy
- Making incremental changes beats have big-bang updates
There are other apps out there that can help you with the above, but Dependabot is the only one that supports multiple languages and has an open-source core.
Dependa-ok-this-looks-awesome-how-do-I-sign-up?
Just click on one of the links below. The app is totally free for the first month if you sign up before June 14th 2017.