Automated Dependency Updates
Keep dependencies current without manual toil. Covers Dependabot and Renovate configuration, auto-merge strategies, vulnerability patching workflows, monorepo dependency management, and building confidence in automated updates.
Every dependency in your project is a ticking clock. Security vulnerabilities are discovered daily. Breaking changes accumulate. The longer you wait to update, the harder updates become — a phenomenon known as “dependency drift.”
Automated dependency updates solve this by creating pull requests for every new version, running your test suite, and optionally auto-merging low-risk updates.
Tool Selection
Dependabot (GitHub Native)
# .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
open-pull-requests-limit: 10
reviewers:
- "team-leads"
labels:
- "dependencies"
groups:
dev-dependencies:
dependency-type: "development"
update-types: ["minor", "patch"]
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"Renovate (More Flexible)
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":automergeMinor",
":automergeDigest"
],
"packageRules": [
{
"matchPackagePatterns": ["eslint", "prettier"],
"groupName": "linting tools",
"automerge": true
},
{
"matchUpdateTypes": ["major"],
"labels": ["breaking-change"],
"automerge": false
},
{
"matchPackageNames": ["react", "react-dom"],
"groupName": "React",
"automerge": false
}
],
"schedule": ["before 6am on Monday"]
}Auto-Merge Strategy
Safe to Auto-Merge
✅ Patch updates (1.2.3 → 1.2.4): Bug fixes only
✅ Minor dev dependencies (eslint 8.1 → 8.2): No production impact
✅ GitHub Actions (v3 → v3.1): Infrastructure-only
✅ Docker base image digests: Same tag, updated contentRequire Manual Review
❌ Major version updates: Likely breaking changes
❌ Core framework updates (React, Next.js, Django)
❌ Database drivers: Query behavior may change
❌ Authentication libraries: Security-critical
❌ Any update that fails CIAuto-Merge CI Requirements
# Only auto-merge if ALL checks pass
on:
pull_request:
types: [opened, synchronize]
jobs:
ci:
runs-on: ubuntu-latest
steps:
- run: npm ci
- run: npm test
- run: npm run build
- run: npm run lint
- run: npm run type-check
auto-merge:
needs: ci
if: contains(github.event.pull_request.labels.*.name, 'automerge')
steps:
- uses: actions/github-script@v6
with:
script: |
github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
merge_method: 'squash'
})Security Vulnerability Patching
Configure immediate PRs for security vulnerabilities:
# Dependabot security updates (separate from version updates)
# Enabled by default in GitHub — verify it's on
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily" # Check for security patches daily
open-pull-requests-limit: 20Vulnerability Response SLA
| Severity | Response Time | Auto-Merge |
|---|---|---|
| Critical (CVSS 9.0+) | < 24 hours | Yes, if tests pass |
| High (CVSS 7.0-8.9) | < 72 hours | Yes, if tests pass |
| Medium (CVSS 4.0-6.9) | < 1 week | Only patch versions |
| Low (CVSS < 4.0) | Next sprint | No |
Monorepo Dependency Management
{
"packageRules": [
{
"matchPaths": ["packages/frontend/**"],
"groupName": "frontend dependencies",
"reviewers": ["frontend-team"]
},
{
"matchPaths": ["packages/api/**"],
"groupName": "API dependencies",
"reviewers": ["backend-team"]
},
{
"matchPaths": ["infrastructure/**"],
"groupName": "infrastructure dependencies",
"reviewers": ["platform-team"]
}
]
}Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| No automated updates | Dependencies drift for months | Enable Dependabot/Renovate |
| Auto-merge everything | Breaking changes hit production | Auto-merge only patch + minor dev deps |
| Ignoring update PRs | 50+ stale PRs accumulate | Group updates, set merge deadlines |
| No CI on dependency PRs | Broken updates merged | Full test suite on every dependency PR |
| Updating only when forced | Major version jumps are painful | Weekly minor/patch updates reduce jump size |
Automated dependency updates are maintenance hygiene. Like brushing your teeth, the daily effort is small but skipping it creates expensive problems.
