We love Laravel here at Vizalo, our main application is actually built using it. It's common to use Laravel as a full stack framework which means we typically have two ecosystems of dependencies in our application: composer and npm. At some point or another we will have dependencies in our Laravel apps. But how do we keep them up to date?
Keeping your dependencies up to date is crucial, but to give you one killer reason it's security. You should care about your app being secure, and keeping dependencies up to date is the first place to start with security.
As a disclaimer, it won't secure your app, there's so many other places that your app could be insecure but dependencies are a crucial place to start.
Dependabot is a useful tool that we can use with GitHub to automatically open pull requests (PRs) which update our project's dependencies.
So how can we do it?
That's it. In our Laravel app let's create a .github directory at the root of the project, if you're already using GitHub Actions you will have this directory already. Inside that directory let's create a file called dependabot.yml, in that file we can add the following ten lines of configuration:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: "composer"
directory: "/"
schedule:
interval: "weekly"
That's it, 10 lines of YAML and we have automatic dependency updates for Laravel projects.
So what is happening?
npm and composer/ which tells dependabot to look for package.json and composer.json at the root of our projectThere's a lot more options to dependabot which you can check out here, for example defining reviewers, target-branches and many more options.
That's it, hope this helps you keep your Laravel projects up to date.
Have a great day, happy coding!