How to setup Dependabot for Laravel

Sam

Code for this tutorial can be found on GitHub

Security

Laravel

GitHub

We love Laravel here at Vizalo, our main application is actually built using it. It's common to use Laravel as a full stack framework which means we typically have two ecosystems of dependencies in our application: composer and npm. At some point or another we will have dependencies in our Laravel apps. But how do we keep them up to date?

Why?

Keeping your dependencies up to date is crucial, but to give you one killer reason it's security. You should care about your app being secure, and keeping dependencies up to date is the first place to start with security.

As a disclaimer, it won't secure your app, there's so many other places that your app could be insecure but dependencies are a crucial place to start.

Dependabot

Dependabot is a useful tool that we can use with GitHub to automatically open pull requests (PRs) which update our project's dependencies.

So how can we do it?

10 lines of YAML, that's it. In our Laravel app let's create a .github directory at the root of the project, if you're already using GitHub Actions you will have this directory already. Inside that directory let's create a file called dependabot.yml, in that file we can add the following ten lines of configuration:

version: 2
updates:
  - package-ecosystem: "npm";
	  directory: "/";
		schedule:
		  interval: "weekly"
	- package-ecosystem: "composer"
	  directory: "/"
		schedule:
		  interval: "weekly"

That's it, 10 lines of YAML and we have automatic dependency updates for Laravel projects.

Let's break it down

So what is happening?

  1. We're using dependabot version 2, this is the default version defined by GitHub
  2. We're defining updates which is a top level section where we define each package ecosystem configuration
  3. We then define two package ecosystem definitions for both npm and composer
  4. We set the directory to / which tells dependabot to look for package.json and composer.json at the root of our project
  5. And then we define the schedule which means every week dependabot will check if our dependencies have any available updates and then open a pull request for each available update

There's a lot more options to dependabot which you can check out here, for example defining reviewers, target-branches and many more options.

Wrapping up

That's it, hope this helps you keep your Laravel projects up to date.

Have a great day, happy coding!

Table of Contents