I have started looking at dependabot again.
With the loss of the Heroku free tiers the old solution I used no longer works.
The first problem to solve is to detect PRs in need of merging.
declare -a arr=(“name1” “name2” “name3” )
for i in “${arr[@]}”
do
gh pr list -R owner/$i
done
The above is a bash script which requires you to have the gh cli tool installed and configured to access your repos.
This will help give you a report of the pending PRs to merge. It may need adapting if you have too many.
The next step is to start merging them.
Dependabot text commands are useful here. You can use `@dependabot merge` to assist with this.
The step beyond that is detecting the number of merged PRs to deploy. You don’t want a huge deploy in case it needs to be reverted.
You will never be clear of the upgrade treadmill. The best solution is to fully automate it.
To use that you need several things:
– a fast reliable deploy/rollback process
– a sufficient test suite
The best option is to automate the merging of dependabot PRs that pass all the tests. Beware false positives that other integrations can give (snyk).
You will also need an automated deploy process. Deploying the latest build every day at a fixed time would help this (this also ensures that you could at least deploy yesterday).
It is possible to rate limit dependabot to only having 10 open PRs at a time. This could help but could be problematic if you are in a fast moving environment like javascript.
Developer Rants 