The overwhelming task of keeping up with security patches and package upgrades can be excruciating.

What to do?

I’ve switched to dependabot. As we got to know each other, Dependabot grew on me.

Dependabot supports multiple package managers, such as npm, mix, and even docker. I love this feature.

Running as an action job on GitHub and can be configured in settings -> Code Security in your repository.

It all starts by enabling Dependency graph. From here onward I enabled alerts, security updates, grouped security updates, and Dependabot on Action runners.

I wasn’t satisfied with Dependabot running on the master branch, so I had to tweak it by creating a configuration file in .github/dependabot.yml.

It looks like this

version: 2
updates:
  # Enable version updates for npm
  - package-ecosystem: "npm"
    # Look for `package.json` and `lock` files in the `root` directory
    directory: "/assets"
    # Check the npm registry for updates every day (weekdays)
    schedule:
      interval: "daily"
    target-branch: "staging"
    groups:
      prod-dependencies:
        dependency-type: "production"
      dev-dependencies:
        dependency-type: "development"

  # Enable version updates for Docker
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"
    target-branch: "staging"

  # Enable version updates for Mix
  - package-ecosystem: "mix"
    directory: "/"
    schedule:
      interval: "daily"
    target-branch: "staging"
    groups:
      prod-dependencies:
        dependency-type: "production"
      dev-dependencies:
        dependency-type: "development"

Dependabot will check for updates from npm, mix, docker. This is all part of my work flow. It groups updates pr. package-ecosystem into one pull request.

Now I have an automated system to keep up to date with patches and new package versions. I just have to lean back and review the pull requests.