Automated Dependency Updates with Dependabot
Outdated dependencies are vulnerability sources. Manual updating hundreds of packages quarterly is unrealistic. Dependabot creates PRs automatically when new versions appear.
Dependabot Setup
# .github/dependabot.yml
version: 2
updates:
# npm dependencies
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
time: "09:00"
timezone: "Europe/Moscow"
open-pull-requests-limit: 10
groups:
# Group dev dependencies in one PR
dev-dependencies:
patterns:
- "@types/*"
- "eslint*"
- "prettier*"
- "jest*"
- "vitest*"
- "typescript"
update-types:
- "minor"
- "patch"
# Storybook — separate
storybook:
patterns:
- "@storybook/*"
- "storybook"
ignore:
# Don't update major automatically
- dependency-name: "next"
update-types: ["version-update:semver-major"]
- dependency-name: "react"
update-types: ["version-update:semver-major"]
labels:
- "dependencies"
- "automated"
# GitHub Actions
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
labels:
- "github-actions"
- "automated"
# Docker
- package-ecosystem: docker
directory: /
schedule:
interval: monthly
labels:
- "docker"
- "automated"
# Composer (PHP)
- package-ecosystem: composer
directory: /
schedule:
interval: weekly
groups:
laravel:
patterns:
- "laravel/*"
Auto-merge for Patch Updates
# .github/workflows/dependabot-auto-merge.yml
name: Auto-merge Dependabot PRs
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Auto-merge patch and minor updates of dev dependencies
- name: Auto-merge dev dependency patches
if: |
steps.metadata.outputs.dependency-type == 'direct:development' &&
(steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor')
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Auto-merge patch updates of production dependencies (after CI)
- name: Auto-merge production patches
if: |
steps.metadata.outputs.dependency-type == 'direct:production' &&
steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Renovate Bot: Alternative
Renovate more powerful than Dependabot: supports lock file maintenance, pin versions, group updates, monorepos.
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits"
],
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeType": "pr"
},
{
"matchPackageNames": ["next", "react", "react-dom"],
"matchUpdateTypes": ["major"],
"enabled": false
}
],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
}
}
Security Monitoring
# npm audit in CI
npm audit --audit-level=high
# Prevent merge on critical vulnerabilities
# .github/workflows/security.yml
- name: Security audit
run: |
npm audit --audit-level=critical --json > audit.json
CRITICAL=$(jq '.metadata.vulnerabilities.critical' audit.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found: $CRITICAL"
exit 1
fi
Dependabot setup with auto-merge and update grouping — several hours. Renovate Bot with monorepo configuration — 1 working day.