Skip to content

Add Dependabot for automated dependency updates #71

Description

@sfloess

Description

Configure Dependabot to automatically create pull requests for dependency updates, keeping the project secure and up-to-date.

Benefits

  • Automatic security updates: Dependabot detects vulnerable dependencies
  • Reduced maintenance: Auto-generated PRs for version bumps
  • Grouped updates: Can group related dependencies together
  • CI validation: Each PR runs tests before merge
  • Free for public repos: Built into GitHub

Recommended Configuration

Create .github/dependabot.yml:

version: 2
updates:
  # Maven dependencies
  - package-ecosystem: "maven"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 5
    groups:
      # Group Apache CXF updates together
      apache-cxf:
        patterns:
          - "org.apache.cxf:*"
      # Group test dependencies together
      test-dependencies:
        patterns:
          - "org.junit.jupiter:*"
          - "org.mockito:*"
    labels:
      - "dependencies"
      - "automated"

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
    open-pull-requests-limit: 3
    labels:
      - "dependencies"
      - "ci/cd"

Current Situation

The workflow already updates dependencies automatically on push (versions:update-properties), but Dependabot provides:

  1. PRs for review before auto-merge
  2. Security alerts for vulnerable dependencies
  3. Changelogs in PR descriptions
  4. GitHub Actions updates (current workflow doesn't update these)

Configuration Options

Conservative (Recommended)

schedule:
  interval: "weekly"  # Weekly updates
open-pull-requests-limit: 5  # Max 5 open PRs

Aggressive

schedule:
  interval: "daily"  # Daily checks
open-pull-requests-limit: 10

Files to Create

  • .github/dependabot.yml

Priority

Medium - Security and maintenance improvement

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions