Dependencies: Automated Update Strategies
Table of Contents
Section titled “Table of Contents”Automated Dependency Updates
Section titled “Automated Dependency Updates”Strategies and configurations for automating dependency updates using Dependabot and pre-commit hooks.
Dependabot Configuration
Section titled “Dependabot Configuration”Dependabot automatically creates pull requests to update dependencies in your repository.
Basic Configuration
Section titled “Basic Configuration”Create .github/dependabot.yml:
version: 2updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" cooldown: default-days: 7 - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" cooldown: default-days: 7Supported Package Ecosystems
Section titled “Supported Package Ecosystems”npm- JavaScript/Node.js packagespip- Python packagesmaven- Java packagesgradle- Java/Kotlin packagesdocker- Docker imagesgithub-actions- GitHub Actions workflowsterraform- Terraform modulescargo- Rust packages
Auto-merging Dependabot PRs
Section titled “Auto-merging Dependabot PRs”Automatically merge Dependabot PRs after CI passes.
Prerequisites:
- Enable “Allow GitHub to create and approve PRs” in repository settings
- Set up branch protection to require status checks before merge
Create .github/workflows/auto-merge-dependabot.yml:
name: auto-merge-dependabot
on: schedule: - cron: "0 5 * * 1" workflow_dispatch: push: branches: - master pull_request:
permissions: contents: read
jobs: dependabot: runs-on: ubuntu-latest permissions: pull-requests: write contents: write if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} steps: - id: metadata uses: dependabot/fetch-metadata@v2 with: github-token: "${{ secrets.GITHUB_TOKEN }}" - run: | gh pr review --approve "$PR_URL" gh pr merge --squash --auto "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}Advanced Dependabot Options
Section titled “Advanced Dependabot Options”version: 2updates: - package-ecosystem: "npm" directory: "/" schedule: interval: "daily" time: "03:00" timezone: "America/New_York" # Limit number of open PRs open-pull-requests-limit: 5 # Group updates groups: development-dependencies: dependency-type: "development" patterns: - "@types/*" - "eslint*" # Ignore specific dependencies ignore: - dependency-name: "lodash" update-types: ["version-update:semver-major"] # Custom commit message prefix commit-message: prefix: "deps" include: "scope" # Add reviewers reviewers: - "team/reviewers" # Add labels labels: - "dependencies" - "automated"Pre-commit Autoupdate
Section titled “Pre-commit Autoupdate”Pre-commit is a framework for managing git hooks. It can automatically update hook versions.
Manual Autoupdate
Section titled “Manual Autoupdate”Update all hooks to their latest versions:
pre-commit autoupdateUpdate specific hooks:
pre-commit autoupdate --repo https://github.com/psf/blackAutomated Pre-commit Updates
Section titled “Automated Pre-commit Updates”Use GitHub Actions to automatically update pre-commit hooks.
Create .github/workflows/pre-commit-autoupdate.yml:
name: pre-commit-autoupdate
on: schedule: # Run every Monday at 8:00 AM UTC - cron: "0 8 * * 1" workflow_dispatch:
permissions: contents: write pull-requests: write
jobs: auto-update: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4
- uses: actions/setup-python@v5 with: python-version: "3.x"
- name: Install pre-commit run: pip install pre-commit
- name: Run pre-commit autoupdate run: pre-commit autoupdate
- name: Create Pull Request uses: peter-evans/create-pull-request@v6 with: token: ${{ secrets.GITHUB_TOKEN }} branch: pre-commit-autoupdate title: "chore: update pre-commit hooks" commit-message: "chore: update pre-commit hooks" body: | Automated update of pre-commit hooks to their latest versions.
Please review the changes and ensure all tests pass before merging. labels: | dependencies automated delete-branch: truePre-commit Configuration Tips
Section titled “Pre-commit Configuration Tips”Configure .pre-commit-config.yaml to pin versions:
repos: - repo: https://github.com/psf/black rev: 24.1.1 # Pin to specific version hooks: - id: black language_version: python3.11
- repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer - id: check-yaml - id: check-added-large-files args: ["--maxkb=1000"]Combined Strategy
Section titled “Combined Strategy”Use both Dependabot and pre-commit autoupdate for comprehensive dependency management:
- Dependabot - Updates project dependencies (package.json, requirements.txt, etc.)
- Pre-commit autoupdate - Updates development tool versions (.pre-commit-config.yaml)
This ensures both runtime dependencies and development tools stay up to date.
Best Practices
Section titled “Best Practices”- Schedule wisely - Avoid running updates too frequently (once per day or week is usually sufficient)
- Use cooldown periods - Give time to review and merge updates before creating new ones
- Group related updates - Reduces PR noise by combining similar dependency updates
- Require CI to pass - Never auto-merge without successful tests
- Review breaking changes - Pay special attention to major version updates
- Test in staging - Deploy to staging environment before production
- Monitor security advisories - Enable security updates with higher priority
Troubleshooting
Section titled “Troubleshooting”Dependabot not creating PRs:
- Check that dependabot.yml is in
.github/directory - Verify package ecosystem is spelled correctly
- Check repository settings for Dependabot access
Pre-commit autoupdate fails:
- Ensure pre-commit is installed:
pip install pre-commit - Verify
.pre-commit-config.yamlsyntax - Check hook repository URLs are accessible
Auto-merge not working:
- Verify GitHub App permissions for creating/approving PRs
- Check branch protection rules don’t block auto-merge
- Ensure required status checks are configured correctly