Regularly updating your package dependencies is one of the recommended ways of ensuring your software is up to date and secure. As developers, we feel that manually going through this process is quite a tedious and sometimes painful experience. Dependabot is a component that can be included as part of your development processes to handle these package updates automatically.
When using Github, Dependabot is natively integrated so it is as easy as creating a Dependabot Github Action in your repository to trigger the version updates automatically. Depending on your customization, this action can be triggered at a pre-set interval and it will create pull requests to keep your dependencies up to date. You can even go as far as automatically merging your pull requests without manual intervention. However it is generally recommended to also manually check Dependabot pull requests because sometimes package updates include breaking changes so your application code needs to be modified as well. For more details on how to use Dependabot in Github, see Automating Dependabot with Github Actions.
Dependabot is not natively integrated with Azure DevOps at the moment. There is currently an unofficial Dependabot extension available developed by Tingle Software: Tingle Software Dependabot. Because it is unofficial, this might not be approved by your Azure DevOps project administrators. However, there are other approaches you can consider to include Dependabot in Azure DevOps.
There are 2 Dependabot repos that are key to the dependabot implementation: dependabot-core and dependabot-script. Dependabot-core repo contains the Dependabot source code written in Ruby and in order to use it, you will have to do the implementation yourself. The alternative is dependabot-script repo that contains a reference implementation developed in Ruby and this is the repo used in this guide.
When using the dependabot-script repo, you have 2 approaches: either running the Ruby scripts interactively or non-interactively or simply using the docker image. For simplicity, this guide uses the docker image.
The dependabot-script repo contains an example of how to get started with using the docker image: Azure Pipelines Sample.
A pre-requisite for this step is to make sure that the build service account has the right permissions to contribute to your pull request. If you go to Project Settings => Repos => Choose your repository.
On the right hand side, you will be able to select the security tab for this repo and see the details for your repo:
Repo User permissions
What you need to look at is the build service account which will be under users and has the format : Project Name Build Service (Org Name). Here, make sure that the pull requests permissions are set, such as: contribute, contribute to pull requests, create branch and create tag.
Once the pre-requisites are met, your dependabot Azure DevOps pipeline can now use the System.AccessToken. Pull requests are coming now on behalf of your project build service account, which means anyone in your team can approve them: