Our great sponsors
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Here I will talk about Dependabot, an option for GitHub hosted projects (but hey, an integration for GitLab exists as well). I will show you how to set it up in just a few easy steps embracing the latest features for the best developer experience.
Since I use Dependabot mostly for my JavaScript (Nuxt) projects and I tend to prefer good ol’ npm over other package managers, I will be showing it for this setup. However, you have many more options. You can see all the supported variants here. The process is basically the same for all of them.
Parameter directory locates your package.json (or respective file with dependency definitions). In this case we assume that it is preset directly in the root. But for example, in a project at my work we have the JS application wrapped inside a Docker container, so the value would have to be /app. Or you could have a monorepo with multiple sub-projects. Then you need to set Dependabot separately for each. Here ïs an example.
P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.
To address inefficiency caused by separate PRs, a workflow was designed to join them automatically into one big PR. However, it was unable to deal with lockfile conflicts. PRs that caused conflict in the Combine PRs job, were omitted and you had to add them manually anyway. It spared some time, but the developer experience was still far from being perfect.