Breaking CI with Dependabot — Weekly Telescope Podcast

In this article I will talk about setting up automatic dependencies updates, its pros and cons…and how to break your CI with it.

Photo by Matthew Henry on Unsplash

Why Do You Need to Know about Dependabot?

Configuration Process

version: 2
updates:
- package-ecosystem: 'npm'
directory: '/'
schedule:
interval: 'daily'
time: '07:00'
# Use Eastern Standard Time (UTC -05:00)
timezone: 'America/Toronto'
open-pull-requests-limit: 10
commit-message:
prefix: 'chore: '
reviewers:
- 'Seneca-CDOT/winter-2021-telescope'
- 'c3ho'
- 'manekenpix'
- 'raygervais'
- 'cindyledev'
labels:
- 'dependencies'
- package-ecosystem: 'npm'
directory: '/src/frontend/gatsby'
schedule:
interval: 'daily'
time: '07:00'
timezone: 'America/Toronto'
open-pull-requests-limit: 10
commit-message:
prefix: 'chore: '
reviewers:
- 'Seneca-CDOT/winter-2021-telescope'
- 'c3ho'
- 'manekenpix'
- 'raygervais'
- 'cindyledev'
labels:
- 'dependencies'
- 'area: gatsbyjs'
- package-ecosystem: 'npm'
directory: '/src/frontend/next'
schedule:
interval: 'daily'
time: '07:00'
timezone: 'America/Toronto'
open-pull-requests-limit: 10
commit-message:
prefix: 'chore: '
reviewers:
- 'Seneca-CDOT/winter-2021-telescope'
- 'c3ho'
- 'manekenpix'
- 'raygervais'
- 'cindyledev'
labels:
- 'dependencies'
- 'area: nextjs'
- package-ecosystem: 'npm'
directory: '/tools/autodeployment'
schedule:
interval: 'daily'
time: '07:00'
timezone: 'America/Toronto'
open-pull-requests-limit: 10
commit-message:
prefix: 'chore: '
reviewers:
- 'Seneca-CDOT/winter-2021-telescope'
- 'c3ho'
- 'manekenpix'
- 'raygervais'
- 'cindyledev'
labels:
- 'dependencies'
- 'area: autodeployment'

With the help of those tags, we can specify how often and at what time (and in which timezone) should the bot do checks. Since we have multiple package files in the project, we wanted to assigned distinctive labels for each package to be able to quickly identify what module is the update related to. It was also helpful to add a prefix to the commit message to add category of the fix to be displayed in out changelog. Finally, we wanted all of our active contributors to be assigned as reviewers. Oh, and one more thing…there is this open-pull-requests-limit option, which lets you tell Dependabot at what point should it stop creating new PRs. As it turned out, this one can easily exhaust CI quotas and send you a few bills (I’m sorry, Dave).

Fun Part

Useful Remarks

Conclusion

Enthusiastic Junior Software Developer striving for discoveries & curious about technology