Dependabot on GitLab - does it work?
What is Dependabot?
Dependabot is a powerful tool that can help you keep your code repositories up-to-date with the latest security patches and bug fixes. Managing dependencies is an essential part of software development. Dependencies are libraries, frameworks, and other components that your software relies on to function properly and keeping these dependencies up-to-date is critical for ensuring that your software is secure, reliable and bug-free. However, managing dependencies can be a time-consuming and challenging task, especially when dealing with large projects with many dependencies. This is where Dependabot comes in. Dependabot automates the process of identifying outdated dependencies, creating pull requests to update them and merging those pull requests once they are reviewed.
Dependabot is a native integration of GitHub and is therefore extremely simple to set up and configure in so many different ways when using GitHub for your code repositories and CI/CD. It’s not?quite?as easy if you use something like GitLab instead!
Does GitLab have it’s own dependancy manager?
While GitLab does have it’s own?dependency scanning feature, it can only be used on certain versions of GitLab (such as GitLab Ultimate which can cost ~$99 a month) and it doesn’t support the same range of package managers that Dependabot does. It would still be a fairly effective way of keeping dependencies up to date but isn’t as simple to set up and doesn’t have the same level of configurability.
Can Dependabot be used on GitLab repositories?
Thankfully, yes! There is now a?Dependabot on GitLab?project that is based on GitHub’s open source?Dependabot Core, meaning you can get all of the lovely dependency updates that GitHub offers, on GitLab!
Of course, as it isn’t a native integration of GitLab, it isn’t as quick and easy to set up and isn’t quite as configurable as Dependabot is on GitHub. The Dependabot on the GitLab project offers two ways of integrating Dependabot into your projects, a standalone version and a deployed version. The standalone version is easier and quicker to get set up and means you can be using a great dependency manager after just a few steps. There is?a great article written?by Tim de Beek which goes into detail about how to set up the standalone version of Dependabot on GitLab.
As I haven’t used the deployed version of Dependabot on GitLab, the below list of pro’s and con’s focuses on the standalone version and how easy and efficient it is to use on GitLab projects.
领英推荐
Pros
Cons
What we went with in the end
Alongside trying out Dependabot on GitLab, another team at Dunelm were also trying a dependency manager called?Renovate. When comparing the two tools, Renovate came out on top for it’s configurability and ease of integration. Keep a look out for a blog on Renovate and why it won!
Conclusion
Using Dependbot on GitLab was a fairly straightforward process that helped my team to keep our projects secure by updating dependencies as and when they occurred. For my team at the time, it was the right tool to use as it was quick to set up and get going. As we didn’t have automatic merge requests set up, there was a lot of repetitive, time consuming work in merging the updates, especially since the standalone version we used didn’t support dependency update grouping. This did mean that, over time, the dependencies weren’t getting updated as frequently as we initially hoped.
All in all, I think that Dependabot is an amazing tool that is super efficient when used on GitHub. Trying to take that great experience cross platform to GitLab just hasn’t translated in the way that I hoped it would. There are so many different dependency manager tools available and right now, I think we’re getting it right with Renovate!
Have you experience using Dependabot on GitLab? How did you find it?