These days, almost every project has some other projects it depends on. This isn’t a bad thing. It’s good. Let others do the hard work for you and just use all the convenient APIs.
But it will get worse if someone finds a security vulnerability in one of those dependencies. And it’s even worse for you, if there existed a patch for months, you just haven’t heard of it.
Another common problem is, that if you aren’t using the latest version of a package, the documentation and help you find online may doesn’t work for you. It’s frustrating.
But there are tools out there that can help you here. The most popular tool is Dependabot which was recently acquired and integrated by GitHub. Dependabot will regularly check your dependencies and will open up a pull request with a version bump if needed.
Ok cool, you might think. I install dependabot and from time to time I merge those updates.
Yes maybe, but not really. If you do the math, there are way more people working on all your dependencies than people who are working on your project. More than once, I opened up one of my projects that I haven’t touched for a while and had tons of open pull requests from Dependabot.
I then discovered that whenever I “reviewed” such a pull request, I just checked if the CI was still running and blindly merged it. This could be automated. Right?
Yes, it can! Dependabot even offers such functionality built-in.
You might think this could only work if you have tons of tests, right? Otherwise, this would break the system regularly?
No! In many of my projects, I don’t have huge amounts of tests. In some projects, I just check if the build is still working and all linters are still fine with the changes.
After over two years of having such automatic merging enabled in more than 10 projects (work and private), I can confidently say that never any of the automatic dependency updates broke something. If it broke, the build stopped working.
IMHO the advantages of an always up-to-date repository therefore far outweigh the risks of automatic merging.
If you think more about it, there aren’t many issues from dependency updates that could break your project:
- If there are bug fixes or security fixes, the API’s usually don’t change which results in very low risks of a broken build
- If there are minor versions updates, they will most likely only introduce new features (as long as they are following the semantic versioning guidelines)
- And if there are the really rare major updates, these will very likely break your build because there are renamed imports, removed methods, and so on. It’s all stuff that would cause your build step to fail.
And now: Start automating your dependency updates. I recommend this tutorial from @toufik.airane https://firstname.lastname@example.org/automerge-github-dependabot-alerts-with-github-actions-7cd6f5763750
What’s your opinion about automatic dependency updates? Have I convinced you to try it? Are you still afraid? Do you have any bad experience with it? Please let me know!