Dependabot is a fantastic free service that helps automate your project's dependency upgrades. Let's get it setup for Ember CLI Mirage.
After visiting www.dependabot.com and signing in, we can add our repository in a few clicks using the web UI.
package.json file to check for dependency updates.
Once we do, Dependabot will kick off an initial check and start sending PRs to our project for out of date dependencies.
Soon, we'll see our first one:
Dependabot gives us helpful info right in the PR so we know why this dependency has changed.
In-range vs. out-of-range updates
Many update PRs Dependabot opens will be "in-range" updates, meaning only our lockfile will change. This means that these are the versions of these dependencies we'd get if we did a fresh
yarn install using our project's current
Other updates will be "out-of-range", meaning these PRs will require a change to both our
package.json file and our lockfile. This is a signal of a bigger change, potentially one that involves breaking changes for the users of our project.
Dependabot will include release notes right in our PR for these changes, so we can easily decide whether we want to merge this PR, ignore a certain version range, or take some other action.
There are some helpful config options you can set to make Dependabot work better for your project.
For example, you can tell it to ignore certain dependencies. We'll configure Dependabot to ignore
ember-cli for Mirage, since we want to manage that upgrade ourself. We can do that by adding the comment
@dependabot ignore this dependency to the Ember CLI PR that Dependabot opens.
We can also configure the service to automatically merge PRs that are in-range updates, since these are likely safe for our users.
More configuration options are available on your dashboard at dependabot.com
The importance of tests
This entire process of automated dependency management only works if you have a solid test suite.
Mirage has comprehensive coverage, to the point where if the tests pass, I am confident in merging a change into master.
If your project doesn't have good test coverage, you will not be able to take advantage of these sorts of workflows; but then again, you have bigger problems because you never really know if any change breaks your app, without a ton of manual testing!
So, having a great test suite is a prerequisite to easy maintenance, including having a bot automatically update your project's dependencies.
A newer Dependabot feature is the ability to configure it using a config file. This is nice because it is more portable & easy to replicate across projects.