Skip to main content
Last updated: 24 Aug 2021

Manage Ruby dependencies with Dependabot

We’re obliged to keep our software current. To help with this, we use a service called Dependabot to perform automated dependency upgrades.

RFC 126 describes the custom configuration we have for Dependabot to reduce the number of PRs it opens, and therefore the number of deployments and effort required to keep our apps up to date.

Reviewing Dependabot PRs

Dependabot updates occur relatively soon after a new version is published, which means there’s a risk of updating to a rogue version. Some updates also contain breaking changes, irrespective of when they are published.

When reviewing a Dependabot PR you should do the following:

  • Check the CHANGELOG for any breaking changes or upgrade instructions.

  • Use “See full diff in compare view” to verify the version bump in the repo matches the one for the PR, from RubyGems.

  • Verify the author of the version bump commit is a regular contributor to the repo, and otherwise review the commits in more detail.

For these reasons we’re not planning to enable auto-merge for Dependabot PRs.

Managing Dependabot

Add Dependabot to a repo

Any GOV.UK developer with production access can enable GitHub for a repo.

  1. Navigate to the repo on GitHub, click “Insights”.
  2. Choose the “Dependency graph” menu item.
  3. Select the “Dependabot” tab.
  4. Click “Enable Dependabot”.
  5. To configure Dependabot, a PR will need to be created that adds a configuration file. In RFC #126 it was decided that a custom configutation would be used for GOV.UK applications. Once you have written a .github/dependabot.yml configuration file, create a pull request and merge this into the repo. Dependabot will automatically run following the merge.

Ask Dependabot to bump dependencies

By default Dependabot will bump dependencies at the frequency specified in the configuration file, but you can ask it to bump manually:

Go to your project in GitHub and click on “Insights”, then “Dependency graph”, then “Dependabot”, then “Last checked X minutes ago” next to the package manager of choice (e.g. Gemfile). Then you can click “Check for updates”.

Audit Dependabot PRs

We have the govuk-dependencies app to monitor outstanding Dependabot PRs on govuk repos.

Security

There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the govuk label. This prevents Dependabot from writing directly to main.