Description
Configure Dependabot to automatically create pull requests for dependency updates, keeping the project secure and up-to-date.
Benefits
- Automatic security updates: Dependabot detects vulnerable dependencies
- Reduced maintenance: Auto-generated PRs for version bumps
- Grouped updates: Can group related dependencies together
- CI validation: Each PR runs tests before merge
- Free for public repos: Built into GitHub
Recommended Configuration
Create .github/dependabot.yml:
version: 2
updates:
# Maven dependencies
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
groups:
# Group Apache CXF updates together
apache-cxf:
patterns:
- "org.apache.cxf:*"
# Group test dependencies together
test-dependencies:
patterns:
- "org.junit.jupiter:*"
- "org.mockito:*"
labels:
- "dependencies"
- "automated"
# GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 3
labels:
- "dependencies"
- "ci/cd"
Current Situation
The workflow already updates dependencies automatically on push (versions:update-properties), but Dependabot provides:
- PRs for review before auto-merge
- Security alerts for vulnerable dependencies
- Changelogs in PR descriptions
- GitHub Actions updates (current workflow doesn't update these)
Configuration Options
Conservative (Recommended)
schedule:
interval: "weekly" # Weekly updates
open-pull-requests-limit: 5 # Max 5 open PRs
Aggressive
schedule:
interval: "daily" # Daily checks
open-pull-requests-limit: 10
Files to Create
Priority
Medium - Security and maintenance improvement
References
Description
Configure Dependabot to automatically create pull requests for dependency updates, keeping the project secure and up-to-date.
Benefits
Recommended Configuration
Create
.github/dependabot.yml:Current Situation
The workflow already updates dependencies automatically on push (
versions:update-properties), but Dependabot provides:Configuration Options
Conservative (Recommended)
Aggressive
Files to Create
.github/dependabot.ymlPriority
Medium - Security and maintenance improvement
References