When we program in PHP/JS and use libraries like composer or npm, which are fundamental in our work. Having them updated is fundamental for security reasons mainly. This makes our programming more secure and even if it depends on third parties, it is also up to date.
Tabla de contenidos
What is dependabot?
Dependabot is an integrated tool on GitHub that helps to manage and maintain the dependencies of a software project automatically. It takes care of regularly checking dependency configuration files, such as package.json files in Node.js projects, composer.json for PHP, pom.xml in Java projects, Gemfile for Ruby, among others. Dependabot detects if any of the dependencies are out of date or have security vulnerabilities, and can automatically generate pull requests (PRs) to update those dependencies.
Pull requests allow us to review the proposed enhancement code and approve it.
Key features of Dependabot:
- Dependency Update: Dependabot periodically checks project dependencies and generates automatic PRs with suggestions to update versions that have changed. This allows us to keep the project’s libraries and tools up to date without having to do it manually.
- Patching Security Vulnerabilities: GitHub, through its vulnerability database, notifies Dependabot when it detects a vulnerability in any dependency. Dependabot can then generate a PR to upgrade that dependency to a secure version.
- Flexible Configuration: We have a configuration file of how and when Dependabot runs. You can define the time intervals (daily, weekly, etc.), which files it should monitor, and whether it should create automatic PRs or simply notify about updates.
- Integration with GitHub workflow: PRs created by Dependabot integrate with existing CI/CD workflows. For example, updates can be automatically tested using unit tests and other mechanisms that the project already has configured.
- Multi-language support: Dependabot supports a wide range of languages and dependency managers, such as Node.js, Python, Java, Ruby, PHP, Go, and more.
Typical Dependabot workflow:
. –>- Dependabot regularly scans the project’s dependency file .
- When it finds a new version of a dependency (or if it detects a security vulnerability), it creates an automatic PR with the corresponding update. We need to review the PR, look at the proposed changes and decide whether to accept the update.
- If the PR is accepted, it is integrated into the project and the dependencies are updated.
In summary, Dependabot is a very useful tool for keeping project dependencies up to date, reducing the risk of security vulnerabilities, and minimizing the manual work associated with dependency management in software projects.
How to implement it
?
Assuming you are developing a plugin for WordPress or it can also work for PHP, I include the configuration file I use in my repositories.
The configuration of this dependabot is based on the Plugin Check Plugin for WordPress, which I highly recommend, and I have added a setting that serves me well in my workflow. So, my dependabot does:
.
- Check github, npm and composer action dependencies
- Check it every week.
- It has a limit of 10 PR.
- The PR is done on the “develop” branch which is the one I normally use.
.
To get it going, you will only need to create this file in the default branch you have on GitHub, such as trunk, main, or master.
.github/dependabot.yml.
With the following content:
.
version: 2
updates:
- package-ecosystem: github-actions
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 10
target-branch: "develop"
- package-ecosystem: npm
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 10
target-branch: "develop"
- package-ecosystem: composer
directory: '/'
schedule:
interval: weekly
open-pull-requests-limit: 10
target-branch: "develop"
Leave a Reply