Depend Much?
Application Dependencies
JavaScript applications are often built on a foundation of open source libraries (a.k.a, node packages). Such application dependencies require weeding and feeding to make sure they’re secure, up-to-date, and still relevant.
A low-effort, high-value tool for dependency management is GitHub’s dependabot.
Secure & Up-to-date
Dependabot is a free GitHub service that developers can activate on a GitHub source repository to help keep their node dependencies secure and up-to-date.
What does it do?
Dependabot scans the repository searching for updatable dependencies. When it finds an out of date package, it opens a pull request for your review. In the image above, dependabot notified me about a minor update to the material-ui core library and opened a pull request against my repo.
Of course, it’s your call to approve and merge, or ignore (close and delete the pull request).
Typically I’ll bring down dependabot’s branch locally for a smoke test and to run the change set through a gauntlet of Cypress functional tests. If everything passes, I will merge to master. For a product where you’re the solo contributor, the bot is like having a collaborator.
Final Remarks
With dependabot keeping watch, I have some measure of assurance that I’m not incurring technical debt by falling too far behind on any given dependency. Also, I can rest assured that I am incorporating security patches in a systematic and timely manner.
