Technical & Scientific > Programming

dependabot

(1/1)

Mike:
Wondering how many of you are using dependabot on GitHub.  If you don't know, it is a bot now owned by GitHub that looks at your dependencies files and will open PRs to updated them as new releases are made.  Additionally, it will also alert you if one of the dependencies does a security fix.

I started using it a couple months ago and I love it.  It took a couple of weeks of tweaking the schedule, target branch, and process to get it to fit into our process but it is so worth it.  I've got it scheduled to run weekly on Sundays.  So, Monday mornings I review the changes, approve them, and tell the bot to merge it.  I then bring them into the dev branch for regular testing.  All the PRs are sent through our test suite just like everything else.

This totally beats our previous manual process of monthly (which often becomes every-other-month) review and update.

hans:
We have it running on our main repos.

ober:
We have it on all of our Github repos and it is awesome.  Unfortunately (for this reason only), we're moving everything to Azure DevOps repos and I haven't found an equivalent scanner there.  But who knows what MS will do.  I can't imagine they will keep both repos forever.  I wish Sonarcloud would implement a package scanner.  Or maybe we just need to give in and get Veracode.

Mike:
Well, given that MS owns GitHub I wouldn't be surprised if it got ported there as well.

ober:
I wish they would make a decision.  It could have a big impact on us.

Navigation

[0] Message Index