Automate your dependency upgrades with Dependabot

Learn how to use the free tool Dependabot to keep your project's dependencies up to date.

Summary

Dependabot is a fantastic free service that helps automate your project's dependency upgrades. Let's get it setup for Ember CLI Mirage.

After visiting www.dependabot.com and signing in, we can add our repository in a few clicks using the web UI.

Once we do, we can tell Dependabot that Mirage is a JavaScript project, so it knows to use our package.json file to check for dependency updates.

Once we do, Dependabot will kick off an initial check and start sending PRs to our project for out of date dependencies.

Soon, we'll see our first one:

Dependabot gives us helpful info right in the PR so we know why this dependency has changed.

In-range vs. out-of-range updates

Many update PRs Dependabot opens will be "in-range" updates, meaning only our lockfile will change. This means that these are the versions of these dependencies we'd get if we did a fresh yarn install using our project's current package.json file.

Other updates will be "out-of-range", meaning these PRs will require a change to both our package.json file and our lockfile. This is a signal of a bigger change, potentially one that involves breaking changes for the users of our project.

Dependabot will include release notes right in our PR for these changes, so we can easily decide whether we want to merge this PR, ignore a certain version range, or take some other action.

Configuring Dependabot

There are some helpful config options you can set to make Dependabot work better for your project.

For example, you can tell it to ignore certain dependencies. We'll configure Dependabot to ignore ember-cli for Mirage, since we want to manage that upgrade ourself. We can do that by adding the comment @dependabot ignore this dependency to the Ember CLI PR that Dependabot opens.

We can also configure the service to automatically merge PRs that are in-range updates, since these are likely safe for our users.

More configuration options are available on your dashboard at dependabot.com

The importance of tests

This entire process of automated dependency management only works if you have a solid test suite.

Mirage has comprehensive coverage, to the point where if the tests pass, I am confident in merging a change into master.

If your project doesn't have good test coverage, you will not be able to take advantage of these sorts of workflows; but then again, you have bigger problems because you never really know if any change breaks your app, without a ton of manual testing!

So, having a great test suite is a prerequisite to easy maintenance, including having a bot automatically update your project's dependencies.

Config files

A newer Dependabot feature is the ability to configure it using a config file. This is nice because it is more portable & easy to replicate across projects.

Here's the docs on Dependabot config files. You can also see an example by taking a look at Ember CLI Tailwind's config.

👋 Hey there, Ember dev!

We hope you enjoyed this free video 🙂

If you like it and want to keep learning with us, we've written a free 6-lesson email course about the fundamental patterns of modern component design in Ember.

To get the first lesson now, enter your best email address below:

You can also check out more details about the course by clicking here.

Questions?

Send us a tweet:

Or ask us in Inside EmberMap, our private Slack workspace for subscribers.