Manage Ruby dependencies with Dependabot
We’re obliged to keep our software current. To help with this, we use a service called Dependabot to perform automated dependency upgrades.
RFC 126 describes the custom configuration we have for Dependabot to reduce the number of PRs it opens, and therefore the number of deployments and effort required to keep our apps up to date.
Reviewing Dependabot PRs
Dependabot updates occur relatively soon after a new version is published, which means there’s a risk of updating to a rogue version. Some updates also contain breaking changes, irrespective of when they are published.
When reviewing a Dependabot PR you should do the following:
Check the
CHANGELOGfor any breaking changes or upgrade instructions.Use “See full diff in compare view” to verify the version bump in the repo matches the one for the PR, from RubyGems.
Verify the author of the version bump commit is a regular contributor to the repo, and otherwise review the commits in more detail.
For these reasons we’re not planning to enable auto-merge for Dependabot PRs.
Managing Dependabot
Add Dependabot to a repo
- Give Dependabot access to the repo (only GitHub org owners can do this)
- Go to Dependabot admin and click “Add project”
Ask Dependabot to bump dependencies
By default Dependabot will bump dependencies once a day, but you can ask it to bump manually:
Go to Dependabot admin and click “Bump now” for your project
Audit Dependabot PRs
We have the govuk-dependencies app to monitor outstanding Dependabot PRs on govuk repos.
Security
There are 2 safeguards to prevent unauthorised code changes. Firstly, Dependabot can only update the repositories that we explicitly allow on GitHub. This prevents code changes to other repos. Secondly, we’ve set up branch protection for all repos with the govuk label. This prevents Dependabot from writing directly to master.