September 12, 2018

Updating your .NET project dependencies with Dependabot


Back in May, I developed a .NET Core Global tool called dotnet-outdated that allows you to check for outdated dependencies (NuGet packages) in your project and automatically update those. This is great, but it requires you to you run it manually.

I recently came across a service called Dependabot that will automatically run checks against your GitHub repository to check for any outdated dependencies and create Pull Requests to update those dependencies.

I decided to give it a try on the dotnet-outdated repository. Here is a walk-through of this process with some screenshots.

Sign up for Dependabot

You will need to sign up for Dependabot, so head over to the Dependabot home page and click the Sign up button. Then, select to Sign up with GitHub.

Sign up for Dependabot

You will need to give access to GitHub account.

Give access to your GitHub account

And install Dependabot on GitHub account

Install Dependabot on your GitHub account

This will take you to the Dependabot page on the GitHub Marketplace. Scroll down to the pricing options, select the Open source/personal account option and then click the Install it for free button.

Install Dependabot for free

Review your order and click the Complete order and begin installation button.

Review your GitHub Marketplace order

You will be taken to another screen which will allow you to give access to Dependabot to all your repositories or just specific repositories. Select the repositories you want to provide access to and click the Install button.

Give access to repositories

Configure a repository to watch

You will be redirected back to the Dependabot website where you can now add repositories for Dependabot to watch. Click the Add Repo button.

Add a new repository

This will open a dialog where you can select the repository and the language. In my case, I selected the dotnet-outdated repo and set the language to .NET. You can configure advanced options if you want, and once done you can click on the Add button.

Add a new repository

After the repo has been added, you will see it displayed in the list of repositories which are configured with Dependabot. The status will indicate that it is busy checking the repository for newer dependencies.

Repository status

Once the repository has been checked, the status will be updated. You can head over to the repository’s page on GitHub and head see whether any Pull Requests have been created.

In my case, you can see that it has created PRs for five dependencies to be updated. Also notice the little yellow lightbulb next to each PR to indicate that checks are running - in this case, my automated tests which have been configured with AppVeyor.

List of GitHub PRs

I can open one of the pull requests to view more information about the Pull Request. When I scroll down, I can see that the checks are still running.

GitHub PR checks still running

When I head over to the Files changed tab, I can see that the two project files have been updated and the version number of the McMaster.Extensions.CommandLineUtils package has been bumped to the latest version.

GitHub PR files changed

After a while, my AppVeyor build has completed and I can see that all checks have passed.

GitHub PR checks have passed

At this point, given that my test coverage is good, I can be sure that upgrading this dependency will not cause any issues and I can merge the Pull Request.

GitHub PR merged

Dependabot even cleans up after itself, so if you give it a few seconds you will notice the status updating and stating that Dependabot has deleted the branch it created for the PR.

GitHub PR branch deleted

When things go wrong

Thankfully, since I have configured AppVeyor to run my application’s tests when a new PR is submitted, I can catch dependency upgrades which are going to break my application. As you can see in the screenshot below, the upgrade of the System.IO.Abstractions package to the latest version causes my build to fail:

GitHub PR checks failing

This gives me the opportunity to look and the AppVeyor logs to see what the error is that occurred. I can then check out that PR locally and make updates to my code to fix the error.


Dependabot provides a great, hands-off way to automatically keep your project’s dependencies up to date. Dependabot allows for a number of configuration options, such as how often outdated dependencies should be checked, as well as whether to automatically merge PRs if all checks have been passed successfully.

Dependabot also works with a wide range of programming languages so you can, for example, also upgrade the NPM packages used in your JavaScript application. If you’re using Docker it can even update the base images for your Docker files.