Secure your supply chain, understand dependencies in your environment, know about vulnerabilities in those dependencies and patch them.

Nicely done! 🥳

You now have automated the process for Dependabot to alert and create pull requests to update your dependencies! At this point, you only need to review the pull request and then merge it to stay on top of your security alerts.

The security updates feature helps automate the process to resolve alerts, but what about just keeping up-to-date with version updates? We can have the same automation to update our dependencies for updated versions using the Dependabot version updates feature.

What are Dependabot version updates?: In addition to security alerts, Dependabot can also take the effort out of maintaining your dependencies. You can use it to ensure that your repository automatically keeps up with the latest releases of the packages and applications it depends on. Just like security alerts, Dependabot will identify an outdated dependency and create a pull request to update the manifest to the latest version of the dependency.

Let's see how this works!

1. Navigate to the Settings tab, select Code security and analysis, and enable the Dependabot version updates.
   • A new file editor opens with pre-poplulated contents. The file is called dependabot.yml.
2. Add nuget to the package-ecosystem.
3. Change the directory to /code/. (The dependabot.yml file should look like this)
4. Click Commit changes directly to the main branch.
5. Wait about 20 seconds then refresh this page (the one you're following instructions from). GitHub Actions will automatically update to the next step.

Get help: Post in our discussion board • Review the GitHub status page

© 2024 GitHub • Code of Conduct • MIT License