Simplify Dependency Management for Android Projects with Gradle Version Catalog and Dependabot | by Jordan Gout | Jul, 2023
GitHub Dependabot is an automated dependency management tool provided by GitHub. It monitors a project’s dependencies and notifies about outdated versions.
It generates pull requests with information on the updates available.
Dependabot helps to ensure projects are using the latest dependencies.
Since march-23 Dependabot has an official support of Gradle Version Catalog.
How to configure it
To enable version updates, we need to create a
dependabot.yml file inside a root project’s
This config file tells Dependabot which dependencies management tools we are using and how often it should check for updates.
Check documentation for all settings.
What’s pull request looks like
Once Dependabot detects new dependencies version it creates a pull request that looks like this:
Pull request description contents release note, change log, and commit to help us identify -breaking- changes.
Dependabot groups all dependencies that use the same version on our Version Catalog.
By default, Dependabot will open up to 5 pull requests with news updates per week but we can change this with the `open-pull-requests-limit` setting.
Dependabot action comments
To be able to easily manage Dependabot’s pull requests, we can use pull requests comment to ask Dependabot to run some actions:
@dependabot rebasewill rebase this PR
@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it
@dependabot mergewill merge this PR after CI passes on it
@dependabot squashand merge will squash and merge this PR after CI passes on it
@dependabot cancel mergewill cancel a previously requested merge and block auto merging
@dependabot reopenwill reopen this PR if it is closed
@dependabot closewill close this PR and stop Dependabot from recreating it (Same result by closing it manually)
@dependabot ignore this major versionwill close this PR and stop Dependabot from creating any more for this major version (unless we reopen the PR or upgrade to it ourself)
@dependabot ignore this minor versionwill close this PR and stop Dependabot from creating any more for this minor version. (unless we reopen the PR or upgrade to it ourself)
@dependabot ignore this dependencywill close this PR and stop Dependabot from creating any more for this dependency (unless we reopen the PR or upgrade to it ourself)
- Mobile App Development (634)