I have been working with a build pipeline using dependabot this year. At the start of 2019 I took over as team lead on a project. My predecessor had enabled dependabot across the teams pool of repositories. After some pruning we have around 60 of these.
Dependabot is an attempt to solve the upgrade cycle for third party dependencies. It will create a pull request for each new version. If you have a build server configured to run tests that you trust then you can get dependabot to auto merge the passing changes.
The year started with a backlog of 360 PRs. Early in the year I spent the first part of each morning ensuring that almost all of the projects have at least a test pipeline..
This started to make an impact on the backlog. We then encountered our first react update. This added 70 PRs overnight.
One pair on my team automated the deployment of the react libraries to our CDN. This eventually helped (we did have a fun problem with the first bad deploy – if you deploy a bad version of a library to a CDN then its painful to correct – some users will have that version cached potentially forever).
We also needed to restart a lot of broken builds. CD is great but sometimes.cloud infrastructure just fails
Dependabot has a helpful interface in that it has an agent that responds to comments on a PR. This allows you to tell it to rebase/recreate/ignore/merge things.
This week we got the PR total down to 12 by the end of one day. The next day Babel released a new version so we jumped to 70 …
We will never win this race but Dependabot does help keep the code upto date. Note we also get updates from other teams in the organisation. One morning during planning we were able to report that a change we had been waiting on had been released, tested and merged in the time we were meeting.
I have had to raise a few issues with Dependabot support and they did fix them quickly. They had not experienced organisations with over a thousand repos before which made the configuration UI slow – this in now much better.
Our setup of Dependabot, Jenkins and Github did not react well to the introduction of Snyk to the system. Snyk tells Github that it is happy with the security of the dependencies. The problem was this was faster than Jenkins telling Github that it had started testing the change! Dependabot then saw a PR with an ok stamp and then merged the change. We had a fun few days reverting broken builds until we tamed that one.
During the year Dependabot was bought by GitHub and is now free to use.
For now I have disabled Snyk on our projects but will investigate it further in the new year (it appears less configurable than Dependabot).
Here’s to another year of upto date dependencies.