Skip to main content

How to review Dependabot pull requests

Introduction

We use Dependabot to keep our dependancies up-to-date. We need to review, approve and merge these pull requests.

At 09:00, 12:00 and 15:00 GitHub will post open pull requests from all of the repositories that the modernisation-platform team is an admin of, into our main Slack channel.

Click on the link in Slack to open the pull request.

Notes on reviewing

  1. Semantic Versioning is generally used, this means:
  • MAJOR version (X.0.0) will have incompatible API changes
  • MINOR version (0.X.0) will add functionality in a backwards compatible manner
  • PATCH version (0.0.X) will make backwards compatible bug fixes

Keep this in mind when reviewing, major version changes will need a detailed code review to ensure the breaking changes do not affect our code or are resolved before approving and merging the pull request.

  1. GitHub checks (GitHub Actions workflows) will not have access to GitHub secrets, this means checks needing secrets will fail. After reviewing the release notes and code for potential security issues, you can open an close the pull request to trigger the checks to run with secret access.

  2. Sometimes the pull request will need rebasing, Dependabot will usually do this for you but if not it can be done by commenting @dependabot rebase.

  3. Once the pull request has been reviewed and approved it can be merged. Keep an eye out on Slack for any failed workflows.

  4. Often lots of repositories will use the same dependancy, when this is the case it is usually safe to do one in depth review and then approve and merge all of them. (The exception to this would be major upgrades where you need to ensure the breaking changes don’t affect anything). To bulk review and merge pull requests you can use the bulk-merger tool.

This page was last reviewed on 23 August 2024. It needs to be reviewed again on 23 February 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 23 February 2025 by the page owner #modernisation-platform. This might mean the content is out of date.