Dependabot is a GitHub-acquired tool that scans for pinned dependencies in your repositories and automatically creates PRs to update them. I’ve been using it at work and on personal projects for a few weeks now and it’s been nice.
I’ve just set it up! It’ll be fun to forget all about this and receive a PR a while later, I hope.
Dependabot is great!
We’ve been using it since October 2017. Previously we used requires.io, which would update all dependencies in one go. If a single dependency bump broke the build it would effectively prevent convenient updating of any dependecies, and we would manually bump the dependencies that didn’t break the build. To be fair Dependabot does occasionally suffer from the opposite problem, where you need to bump to dependencies at the same time to keep the build passing. In my experience it is rarer, however.