Updating your .NET project dependencies with Dependabot
Back in May, I developed a .NET Core Global tool called dotnet-outdated that allows you to check for outdated dependencies (NuGet packages) in your project and automatically update those. This is great, but it requires you to you run it manually.
I recently came across a service called Dependabot that will automatically run checks against your GitHub repository to check for any outdated dependencies and create Pull Requests to update those dependencies.
I decided to give it a try on the dotnet-outdated repository. Here is a walk-through of this process with some screenshots.
Sign up for Dependabot
You will need to sign up for Dependabot, so head over to the Dependabot home page and click the Sign up button. Then, select to Sign up with GitHub.
You will need to give access to GitHub account.
And install Dependabot on GitHub account
This will take you to the Dependabot page on the GitHub Marketplace. Scroll down to the pricing options, select the Open source/personal account option and then click the Install it for free button.
Review your order and click the Complete order and begin installation button.
You will be taken to another screen which will allow you to give access to Dependabot to all your repositories or just specific repositories. Select the repositories you want to provide access to and click the Install button.
Configure a repository to watch
You will be redirected back to the Dependabot website where you can now add repositories for Dependabot to watch. Click the Add Repo button.
This will open a dialog where you can select the repository and the language. In my case, I selected the dotnet-outdated repo and set the language to .NET. You can configure advanced options if you want, and once done you can click on the Add button.
After the repo has been added, you will see it displayed in the list of repositories which are configured with Dependabot. The status will indicate that it is busy checking the repository for newer dependencies.
Once the repository has been checked, the status will be updated. You can head over to the repository’s page on GitHub and head see whether any Pull Requests have been created.
In my case, you can see that it has created PRs for five dependencies to be updated. Also notice the little yellow lightbulb next to each PR to indicate that checks are running - in this case, my automated tests which have been configured with AppVeyor.
I can open one of the pull requests to view more information about the Pull Request. When I scroll down, I can see that the checks are still running.
When I head over to the Files changed tab, I can see that the two project files have been updated and the version number of the
McMaster.Extensions.CommandLineUtils package has been bumped to the latest version.
After a while, my AppVeyor build has completed and I can see that all checks have passed.
At this point, given that my test coverage is good, I can be sure that upgrading this dependency will not cause any issues and I can merge the Pull Request.
Dependabot even cleans up after itself, so if you give it a few seconds you will notice the status updating and stating that Dependabot has deleted the branch it created for the PR.
When things go wrong
Thankfully, since I have configured AppVeyor to run my application’s tests when a new PR is submitted, I can catch dependency upgrades which are going to break my application. As you can see in the screenshot below, the upgrade of the
System.IO.Abstractions package to the latest version causes my build to fail:
This gives me the opportunity to look and the AppVeyor logs to see what the error is that occurred. I can then check out that PR locally and make updates to my code to fix the error.
Dependabot provides a great, hands-off way to automatically keep your project’s dependencies up to date. Dependabot allows for a number of configuration options, such as how often outdated dependencies should be checked, as well as whether to automatically merge PRs if all checks have been passed successfully.