DEV Community

Cover image for Support your GitHub Projects with GitHub Dependabot
Robertblazor
Robertblazor

Posted on • Edited on

Support your GitHub Projects with GitHub Dependabot

log4j is an event that lasts forever, and we should think about some ways to prevent this. Like keep all of our dependencies up to date.

Before today, it's going to be a bummer to do this, a person manually keep an eye on every single package used in a project is just a joke at least.

What we can do is to enable the dependabot component in GitHub, and let their excellent AI and the professional teams to take care of this.

First, I will find a github repo to fork, here is the link to the project we want to start with:

Blazor Starter Project

The next step is to go to the settings section right in your repository:

Image description

Image description

My personal suggestion is to enable all of them as that will help GitHub and everyone to keep the open-source community in a better health.

Let's try to enable the first section:

All good until the last enable button:

Dependabot version updates, it will show up a yml file shown below

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

And the commit change button is also disabled as I need to fill some blanks, here is a working final result:

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "nuget" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
Enter fullscreen mode Exit fullscreen mode

You can absolutely commit this one, but dependabot will give you some funny alerts and pull requests like it would ask you to upgrade some packages designed for .NET 8 - preview 6. And as you merge the pull requests, your application will boom right in front of you. (happened to me last night)

Image description

Some more modifications here, just use the ignore configuration for this case.

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    ignore:
      - dependency-name: "Microsoft.AspNetCore.Components.WebAssembly"
        versions: ["8.0.x"]
      - dependency-name: "Microsoft.AspNetCore.Components.WebAssembly.DevServer"
        versions: ["8.0.x"]
Enter fullscreen mode Exit fullscreen mode

The next thing you will get is some pull requests that specifies these two packages with new version of 7.0.9, I can safely promise that this upgrade won't break anything.

Okay, you should be able to keep your cloud application's packages up to date from now. (And please, this only works with deployed applications.)

Top comments (0)