Optimizing the creation of pull requests for Dependabot version updates

Learn how to streamline and efficiently manage your Dependabot pull requests.

谁可以使用此功能?

Users with write access

本文内容

By default, Dependabot opens a new pull request to update each dependency. When you enable security updates, new pull requests are opened when a vulnerable dependency is found. When you configure version updates for one or more ecosystems, new pull requests are opened when new versions of dependencies are available, with the frequency defined in the dependabot.yml file.

If your project has many dependencies, you might find that you have a very large number of Dependabot pull requests to review and merge, which can quickly become difficult to manage.

There are a couple of customization options you can implement to optimize Dependabot update pull requests to align with your processes, such as:

  • Controlling the frequency with which Dependabot checks for newer versions of your dependencies with schedule.
  • Prioritize meaningful updates with groups.

Controlling the frequency and timings of dependency updates

Dependabot runs its checks for version updates at a frequency set by you in the configuration file, where the required field, schedule.interval, must be set to daily, weekly, monthly, quarterly, semiannually, yearly, or cron (see cronjob).

By default, Dependabot balances its workload by assigning a random time to check and raise pull requests for dependency updates.

However, to reduce distraction, or to better organize time and resources for reviewing and addressing version updates, you might find it useful to modify the frequency and timings. For example, you may prefer Dependabot to run weekly rather than daily checks for updates, and at a time that ensures pull requests are raised before for your team's triage session.

Modifying the frequency and timings for dependency updates

You can use schedule with a combination of options to modify the frequency and timings of when Dependabot checks for version updates.

The example dependabot.yml file below changes the npm configuration to specify that Dependabot should check for version updates to npm dependencies every Tuesday at 02:00 Japanese Standard Time (UTC +09:00).

YAML
# `dependabot.yml` file with
# customized schedule for version updates

version: 2
updates:
  # Keep npm dependencies up to date
  - package-ecosystem: "npm"
    directory: "/"
    # Check the npm registry every week on Tuesday at 02:00 Japan Standard Time (UTC +09:00)
    schedule:
      interval: "weekly"
      day: "tuesday"
      time: "02:00"
      timezone: "Asia/Tokyo"

See also schedule.

Setting up a cooldown period for dependency updates

You can use cooldown with a combination of options to control when Dependabot creates pull requests for version updates.

The example dependabot.yml file below shows a cooldown period being applied to the dependencies requests, numpy, and those prefixed with pandas or django, but not to the dependency called pandas (exact match), which is excluded via the exclude list.

YAML
version: 2
updates:
  - package-ecosystem: "pip"
    directory: "/"
    schedule:
      interval: "daily"
    cooldown:
      default-days: 5
      semver-major-days: 30
      semver-minor-days: 7
      semver-patch-days: 3
      include:
        - "requests"
        - "numpy"
        - "pandas*"
        - "django"
      exclude:
        - "pandas"
  • The number of cooldown days must be between 1 and 90.
  • The maximum allowed items limit in include and exclude lists, which can be used with cooldown, is 150 each.

注意

To consider all dependencies for a cooldown period, you can:

  • Omit the include option which applies cooldown to all dependencies.
  • Use "*" in include to apply the cooldown settings to everything. We recommend the use of exclude to only exclude specific dependencies from cooldown settings.

SemVer is supported for most package managers. Updates to new versions for dependencies in cooldown are deferred as follows:

  • Major updates: Delayed by 30 days (semver-major-days: 30).
  • Minor updates: Delayed by 7 days (semver-minor-days: 7).
  • Patch updates: Delayed by 3 days (semver-patch-days: 3).

See also cooldown.

Prioritizing meaningful updates

You can use groups to consolidate updates for multiple dependencies into a single pull request. This helps you focus your review time on higher risk updates, and minimize the time spent reviewing minor version updates. For example, you can combine updates for minor or patch updates for development dependencies into a single pull request, and have a dedicated group for security or version updates that impact a key area of your codebase.

You must configure groups per individual package ecosystem, then you can create multiple groups per package ecosystem using a combination of criteria:

  • Dependabot update type: applies-to
  • Type of dependency: dependency-type.
  • Dependency name: patterns and exclude-patterns
  • Semantic versioning levels: update-types

To see all supported values for each criterion, see groups.

The below examples present several different methods to create groups of dependencies using the criteria.

示例 1:三个版本更新组

在本示例中,dependabot.yml 文件:

  • 创建名为 production-dependenciesdevelopment-dependenciesrubocop 的三个组。
  • 使用 patternsdependency-type 将依赖项包含在组中。
  • 使用 exclude-patterns 将一个(或多个)依赖项排除在组外。
version: 2
updates:
  # Keep bundler dependencies up to date
  - package-ecosystem: "bundler"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      production-dependencies:
        dependency-type: "production"
      development-dependencies:
        dependency-type: "development"
        exclude-patterns:
          - "rubocop*"
      rubocop:
        patterns:
          - "rubocop*"

因此:

  • 版本更新按依赖项类型分组。
  • 与模式 rubocop* 匹配的开发依赖项将排除在 development-dependencies 组外。
  • 相反,与 rubocop* 匹配的开发依赖项将包含在 rubocop 组中。 由于排序的原因,与 rubocop* 匹配的生产依赖项将包含在 production-dependencies 组中。
  • 此外,由于没有 applies-to 键,所有组默认仅适用于版本更新。

示例 2:包含排除依赖项的分组更新

在本示例中,dependabot.yml 文件:

  • 创建名为“support-dependencies”的组,作为自定义 Bundler 配置的一部分。
  • 使用与一个(或多个)依赖项的名称匹配的 patterns 将依赖项包含在组中。
  • 使用与一个(或多个)依赖项的名称匹配的 exclude-patterns 将依赖项排除在组外。
  • 由于使用了 applies-to: version-updates,分组仅适用于版本更新。
version: 2
updates:
  # Keep bundler dependencies up to date
  - package-ecosystem: "bundler"
    directories:
      - "/frontend"
      - "/backend"
      - "/admin"

    schedule:
      interval: "weekly"
    # Create a group of dependencies to be updated together in one pull request
    groups:
      # Specify a name for the group, which will be used in pull request titles
      # and branch names
      support-dependencies:
        # Define patterns to include dependencies in the group (based on
        # dependency name)
        applies-to: version-updates # Applies the group rule to version updates
        patterns:
          - "rubocop" # A single dependency name
          - "rspec*"  # A wildcard string that matches multiple dependency names
          - "*"       # A wildcard that matches all dependencies in the package
                      # ecosystem. Note: using "*" may open a large pull request
        # Define patterns to exclude dependencies from the group (based on
        # dependency name)
        exclude-patterns:
          - "gc_ruboconfig"
          - "gocardless-*"

因此:

  • 由于使用了通配符(“*”)模式,Bundler 的大部分依赖项都被合并到 support-dependencies 组中,除了
  • gc_ruboconfiggocardless-* 匹配的依赖项排除在组外,Dependabot 继续为这些依赖项提出单个拉取请求。 如果需要对这些依赖项的更新进行更仔细的审查,这将很有帮助。
  • 对于 support-dependencies,Dependabot 将仅为版本更新提出拉取请求。

示例 3:主要更新的单个拉取请求和次要/补丁更新的分组拉取请求

在本示例中,dependabot.yml 文件:

  • 创建名为“angular”的组。
  • 使用与依赖项的名称匹配的 patterns 将依赖项包含在组中。
  • 使用 update-type 仅将 minorpatch 更新包含在组中。
  • 由于使用了 applies-to: version-updates,分组仅适用于版本更新。
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      # Specify a name for the group, which will be used in pull request titles
      # and branch names
      angular:
        applies-to: version-updates
        patterns:
          - "@angular*"
        update-types:
          - "minor"
          - "patch"

因此:

  • Dependabot 将为具有次要或补丁更新的所有 Angular 依赖项创建分组拉取请求。
  • 所有主要更新都将继续作为单个拉取请求提出。

示例 4:次要/补丁更新的分组拉取请求和主要更新的无拉取请求

在本示例中,dependabot.yml 文件:

  • 创建名为 angularminor-and-patch 的两个组。
  • 使用 applies-to 使第一组仅适用于版本更新,第二组仅适用于安全更新。
  • 使用 update-type 仅包含这两个组的 minorpatch 更新。
  • 使用 ignore 条件排除 @angular* 包的 major 版本更新。
version: 2
updates:
  # Keep npm dependencies up to date
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      angular:
        applies-to: version-updates
        patterns:
          - "@angular*"
        update-types:
          - "minor"
          - "patch"
      minor-and-patch:
        applies-to: security-updates
        patterns:
          - "@angular*"
        update-types:
          - "patch"
          - "minor"
    ignore:
      - dependency-name: "@angular*"
        update-types: ["version-update:semver-major"]

因此:

  • Angular 依赖项的次要和补丁版本更新分组到单个拉取请求中。
  • Angular 依赖项的次要和补丁安全更新也分组到单个拉取请求中。
  • Dependabot 不会自动为 Angular 的主要更新打开拉取请求。