When working on a project that utilizes several open source dependencies it can often feel like a part-time job keeping up-to-date with dependencies updates. This can accumulate over time and cause your
package.json file to quickly become out of date. Which makes for updating the latest and greatest in the future much more difficult. With GitHub actions is very easy to automate this process!
Inside your project you can create a file under the
.github folder called
dependabot.yml which you can configure to automatically search known package providers for updates, that will generate create pull requests that you can help keep your project updated.
Here is an example that can be setup to keep your Composer and Yarn json files in sync with the latest releases of your open source dependencies.
# Set GitHub dependabot action version version: 2 updates: # List package source - package-ecosystem: "composer" directory: "/" # Configure how often schedule: interval: daily time: "15:30" # Automatically assign PR reviewer assignees: - "octocat" # Attach any labels labels: - "composer" - "dependencies" - package-ecosystem: "npm" directory: "/" schedule: interval: daily time: "15:30" assignees: - "octocat" labels: - "yarn" - "dependencies"
Note: Its important to have your composer.lock & yarn.lock file committed since GitHub's dependabot can properly update these files.