Skip to content

nickineering/dependamerge

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
dependamerge-example.json
dependamerge-example.json
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

Fine tune automatic merging for Dependabot pull requests

Warning This project is now deprecated due to dependabot's API changing. You should use RenovateBot instead, which does the same thing now.

Github includes an awesome feature called Dependabot, which automatically creates pull requests to update your outdated dependencies. It supports automatically merging those pull requests, but sadly does not have a blacklist for troublesome updates.

Behold, Dependamerge! Dependamerge lets you push Dependabot to its limits by automatically merging all pull requests. You can run it only when your tests pass on continuous integration, or, for the more adventurous, you could have it merge anything no matter what. Importantly, it also allows you to blacklist pesky updates.

Install

Step 1:

npm install --save-dev dependamerge

Step 2:

Create a dependamerge.json file in your project's root directory. It accepts the following fields:

Field Description Type Required
githubUsername The project owner's Github username. string Yes
neverUpdate Dependencies that should never be automatically updated. Accepts regular expressions. string[] No
onlyUpdatePatches Dependencies that should only have patches automatically updated. Accepts regular expressions. string[] No
repoName The name of your project's Github repository. string Yes

Step 3:

Create a personal access token on Github that has access to your repository. Then add it as an environment variable in your continuous integration software.

Step 4:

Invoke Dependamerge after your continuous integration software successfully finishes testing pull requests. Don't worry, it will ignore pull requests by users other than Dependabot. Be sure to pass it the pull request's number and the Github token created in step 3. On Travis CI this is accomplished by adding the following snippet to travis.yml.

after_success:
    - 'if [ $TRAVIS_PULL_REQUEST != "false" ]; then node
      node_modules/dependamerge/src/index.js $TRAVIS_PULL_REQUEST $GITHUB_TOKEN; fi'

Step 5:

Perfect your origami skills with all that time you saved.

A word of caution

Automatically updating your dependencies can easily introduce bugs without you noticing. Ensure that you have strong test coverage before installing Dependamerge, or make liberal use of the neverUpdate and the onlyUpdatePatches settings to avoid accidentally introducing bugs.

Contributing

Contributions would be much appreciated! Please open an issue to get started.

About

Fine tune automatic merging for Dependabot pull requests

Topics

dependency-manager ci security-automation dependabot

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 8

v1.1.2 Latest
Jul 15, 2023
+ 7 releases

Packages

No packages published

Languages