Автоматическое обновление зависимостей с Dependabot
Устаревшие зависимости — источник уязвимостей. Ручное обновление сотен пакетов раз в квартал — нереальная задача. Dependabot создаёт PR автоматически при появлении новых версий.
Настройка Dependabot
# .github/dependabot.yml
version: 2
updates:
# npm зависимости
- package-ecosystem: npm
directory: /
schedule:
interval: weekly
day: monday
time: "09:00"
timezone: "Europe/Moscow"
open-pull-requests-limit: 10
groups:
# Группируем dev-зависимости в один PR
dev-dependencies:
patterns:
- "@types/*"
- "eslint*"
- "prettier*"
- "jest*"
- "vitest*"
- "typescript"
update-types:
- "minor"
- "patch"
# Storybook — отдельно
storybook:
patterns:
- "@storybook/*"
- "storybook"
ignore:
# Не обновляем major автоматически
- dependency-name: "next"
update-types: ["version-update:semver-major"]
- dependency-name: "react"
update-types: ["version-update:semver-major"]
labels:
- "dependencies"
- "automated"
# GitHub Actions
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
labels:
- "github-actions"
- "automated"
# Docker
- package-ecosystem: docker
directory: /
schedule:
interval: monthly
labels:
- "docker"
- "automated"
# Composer (PHP)
- package-ecosystem: composer
directory: /
schedule:
interval: weekly
groups:
laravel:
patterns:
- "laravel/*"
Auto-merge для патч-обновлений
# .github/workflows/dependabot-auto-merge.yml
name: Auto-merge Dependabot PRs
on: pull_request
permissions:
contents: write
pull-requests: write
jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.actor == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@v2
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
# Автомердж patch и minor обновлений dev-зависимостей
- name: Auto-merge dev dependency patches
if: |
steps.metadata.outputs.dependency-type == 'direct:development' &&
(steps.metadata.outputs.update-type == 'version-update:semver-patch' ||
steps.metadata.outputs.update-type == 'version-update:semver-minor')
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Автомердж patch обновлений production зависимостей (после CI)
- name: Auto-merge production patches
if: |
steps.metadata.outputs.dependency-type == 'direct:production' &&
steps.metadata.outputs.update-type == 'version-update:semver-patch'
run: gh pr merge --auto --squash "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Renovate Bot: альтернатива
Renovate мощнее Dependabot: поддерживает lock file maintenance, pin versions, group updates, monorepos.
// renovate.json
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard",
":semanticCommits"
],
"packageRules": [
{
"matchDepTypes": ["devDependencies"],
"matchUpdateTypes": ["minor", "patch"],
"automerge": true,
"automergeType": "pr"
},
{
"matchPackageNames": ["next", "react", "react-dom"],
"matchUpdateTypes": ["major"],
"enabled": false
}
],
"lockFileMaintenance": {
"enabled": true,
"schedule": ["before 5am on monday"]
}
}
Мониторинг безопасности
# npm audit в CI
npm audit --audit-level=high
# Запрет мержа при критических уязвимостях
# .github/workflows/security.yml
- name: Security audit
run: |
npm audit --audit-level=critical --json > audit.json
CRITICAL=$(jq '.metadata.vulnerabilities.critical' audit.json)
if [ "$CRITICAL" -gt 0 ]; then
echo "Critical vulnerabilities found: $CRITICAL"
exit 1
fi
Настройка Dependabot с auto-merge и группировкой обновлений — несколько часов. Renovate Bot с монорепо-конфигурацией — 1 рабочий день.