Nowadays, there is a large number of online services that help you keep the dependencies list of your project up to date. Their goal is to make sure that you deploy your software with libraries and frameworks that do not suffer from major bugs and security flaws.

Among them, you can count on PyUP for Python, Greenkeeper for npm or dependabot for a broader choice of languages.

How They Work

Those services work all in the same way. They monitor your repository. As soon as one of its dependency has a new version available, the service opens a new pull request with the dependency update.

Dependabot updating a dependency

Those services are fantastic because they automate what used to be manual. You don’t have to track new versions of the libraries that you use.

Once the pull request is opened, your continuous integration system can test the dependency update and a developer can click on that merge button if they’re happy with the result.

Automatic?

It turns out that in 99% of the case, you’re just ok with the update. As long as your test suite passes, you know everything is going to be alright, and you just want to merge that pull request as soon as possible.

So why don’t go the next step, and automate that?

It turns out Mergify makes that possible, and some of our users are already leveraging it to save their time. You can write a rule such as this one:

- name: merge pull requests from dependabot if CI passes
  conditions:
    - author=dependabot[bot]
    - status-success=continuous-integration/travis/pr
  actions:
    merge:
      method: merge

With such a rule, as soon as a pull request opened by dependabot is opened and that the continuous integration (Travis in that example) reports success, the pull request is merged.

No need to manually track and follow all the pull request opened by those bots.

That method might also be applied to many other automatic services that create pull requests. Feel free to share your use cases in the comment section!