Do you know if all your repositories have up-to-date dependencies?

Keeping your repositories’ dependencies up to date is crucial for maintaining quality and security. Outdated dependencies can expose your project to vulnerabilities, compromise its stability, and hinder its overall performance. In order to answer this question for ourselves, we created a GitHub Action: Evergreen.

The challenge of dependency management

With new versions of libraries, frameworks, and packages being released regularly, developers are faced with the constant challenge of ensuring their projects use the latest and most secure dependencies. Manual updates can be time-consuming and error-prone, and tracking every dependency across all repositories is a daunting task.

Dependabot: Automating dependency updates

Dependabot version updates automate the process of updating dependencies by creating pull requests for new versions. Not to be confused with the more security focused variants of Dependabot in “Dependabot alerts” and “Dependabot security updates”, Dependabot version updates target any outdated dependencies instead of waiting for vulnerabilities. This alleviates the burden on developers and ensures that projects are using the latest and safest versions of their dependencies.

The Dependabot dilemma

While Dependabot version updates automates the task of updating dependencies, it is configured using a YAML file in every repository. This can make it difficult for administrators to centrally deploy it and can lead to inconsistent dependency management across projects.

Introducing Evergreen

Inside GitHub, our Open Source Program Office (OSPO) wanted to make it easy to deploy Dependabot version updates throughout our own organizations. To achieve this, we built a GitHub Action called Evergreen. Evergreen acts as a dependency management assistant for your teams, ensuring that Dependabot version updates are enabled and configured consistently across all your repositories.

[Small aside]With Evergreen, GitHub identified hundreds of our own private repositories to enable Dependabot on, and we’ll continue to run updates so we can confidently keep our repositories up to date.[Small aside]

How Evergreen works

Once the GitHub Action triggers, it checks whether Dependabot version updates is enabled for all repositories in your organization. If not, Evergreen takes care of enabling Dependabot version updates, configuring it for you, and opening pull requests with the changes for your review.

1. Triggering Evergreen: You can set up Evergreen like any other GitHub Action to run on a schedule or trigger it manually to enforce consistent dependency management. Check out the GitHub Docs on triggering a workflow for more information.

2. Dependency check: Evergreen checks whether Dependabot version updates is configured for the repository.

3. Enabling Dependabot: If Dependabot is not configured, Evergreen takes care of it by automatically setting it up, and opening a pull request for you to review the configuration.

Conclusion

Keeping dependencies up to date is a non-negotiable aspect of ensuring the quality and security of your projects. Dependabot has made this task significantly easier, but it’s also equally as important to ensure consistent implementation across all repositories. Evergreen automates the process of enabling and configuring it for every repository. Ensure your dependencies are evergreen! Check out the repository for more information.

Written by

Zack Koppert

@zkoppert