Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!
Meet Dependabot
Dependabot creates pull requests to keep your dependencies secure and up-to-date!
How does Dependabot work?
Dependabot is the actor for GitHub's automated security fixes.
GitHub uses the dependency graph and security alerts to scan your repository and notify you of potential dependency updates
If any dependencies are out-of-date, Dependabot opens a pull request to update each one
If tests pass, and the updated version looks good, you simply merge the pull request
Configuring automated security fixes
You can enable automated security fixes for any repository that uses security alerts and the dependency graph. You can disable automated security fixes for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security fixes in every repository that uses security alerts and the dependency graph.
Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to 2.6.9 but Dependabot noticed we are still outdated.
If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of debug. Feel free to approve and merge the pull request.
How to Install Dependabot if not enabled through automated security fixes
- Navigate to Dependabot on the [GitHub Marketplace](https://github.com/marketplace/dependabot-preview)
- Click the "Install it for free" button
- Follow on-screen instructions to add Dependabot to your GitHub profile
- When installing Dependabot, choose `Only select repositories` and choose this repository, https://github.com/dkijc/security-strategy-essentials
- On `app.dependabot.com`, under `repos you want to add`, select https://github.com/dkijc/security-strategy-essentials and click the `Add selected` button
Important Note!
Dependabot is owned and maintained by GitHub. Dependabot Preview is a public beta for functionality that we are integrating directly into GitHub. These automatic security fixes are in beta and are subject to change.
Automated dependency updates with Dependabot
Manually going through your dependencies for alerts and outdated versions is tedious work. Let's automate this process!
Meet Dependabot
Dependabot creates pull requests to keep your dependencies secure and up-to-date!
How does Dependabot work?
Dependabot is the actor for GitHub's automated security fixes.
Configuring automated security fixes
You can enable automated security fixes for any repository that uses security alerts and the dependency graph. You can disable automated security fixes for an individual repository or for all repositories owned by your user account or organization. GitHub will automatically enable automated security fixes in every repository that uses security alerts and the dependency graph.
Here, we have a security alert on the debug dependency. Clicking on debug will show you the pull request created by Dependabot to update the dependency. We just updated to
2.6.9
but Dependabot noticed we are still outdated.If you navigate to your pull requests, you'll notice Dependabot has done its job and is trying to bump, or update, the version of
debug
. Feel free to approve and merge the pull request.How to Install Dependabot if not enabled through automated security fixes
- Navigate to Dependabot on the [GitHub Marketplace](https://github.com/marketplace/dependabot-preview) - Click the "Install it for free" button - Follow on-screen instructions to add Dependabot to your GitHub profile - When installing Dependabot, choose `Only select repositories` and choose this repository, https://github.com/dkijc/security-strategy-essentials - On `app.dependabot.com`, under `repos you want to add`, select https://github.com/dkijc/security-strategy-essentials and click the `Add selected` buttonImportant Note!
Dependabot is owned and maintained by GitHub. Dependabot Preview is a public beta for functionality that we are integrating directly into GitHub. These automatic security fixes are in beta and are subject to change.
Close this issue when done
I'll respond below when you close the issue.