It can be hard to keep dependencies up to date. Do you check them manually? Set a calendar reminder? Run a script on your CI?

You can certainly create a manual process to automate it, but even then updating those dependencies to the latest version is tedious. Sure it's not that difficult, but it's a distraction and it's easy to put off or skip altogether. So anything that reduces the friction is a welcome change!

I'm very pleased with dependabot's elm and NPM dependency support.

The workflow

It's really dead simple. After a few clicks configuring dependabot for your project, it will make pull requests for each outdated elm or NPM dependency.

Here are some of my favorite features of this workflow.

CI Build Integration

If you have a green checkmark that shows your CI build is passing, then you can confidently hit the merge button ! 🎉

! 🎉 In the more rare cases where there's a red checkmark, you can see what the build errors were and manually fix them

Changelog and Release Notes

Dependabot includes all the changelog entires between the current and latest version in the pull request. This is super handy as you can quickly scan to see what to look out for in each dependency. And since there's a single pull request for each outdated dependency, it makes it really manageable to merge the trivial changes quickly, and then go through the more substantial changes one-at-a-time.

If the project doesn't have a changelog, you can see each of the commits with links and commit messages. Plus a quick link that takes you to the diff for the project comparing your current version with the latest.

Monorepo support

If you have a github repository that includes multiple projects within the same repo, it's easy to set up dependabot to watch the dependencies for each of the repo's projects. It's as simple as telling it which directory to watch, and for which kinds of dependencies (elm, NPM, etc.).

The bottom line

I love this workflow, and highly recommend it! For your open source elm projects, this is a no-brainer. For private commercial projects, it's only $15/month, so it's worth considering. You might find that it pays for itself in terms of managing NPM security vulnerabilities and improved developer productivity.

Learn more, and get started now at https://dependabot.com/#how-it-works.

Thanks for reading!

I hope you found this tip helpful! If you want more tips about boosting your productivity in your elm codebase, check out my weekly elm tips.