Dependabot

Dependabot is a GitHub feature that will regularly scan your project dependencies for updates, and automatically create Pull Requests to keep your dependencies updated.

Using Dependabot ultimately makes your project more secure by keeping your project dependencies up-to-date. As a general rule, using the latest project dependencies gives you

• the latest security patches
• the latest bug fixes
• the latest features

Overall, this leads to a more maintainable project.

Note

This feature is designed for GitHub, so if you are not using GitHub, then this will have no impact.

Enabling Dependabot

When you choose Dependabot as an option, the Starlight project will include a .github/.dependabot.yml file. It is configured to monitor updates weekly for:

1. Node packages (i.e. dependencies and devDependencies in package.json)
2. GitHub Actions

Tip

You may prefer checking for updates daily or monthly instead of weekly. Simply edit the dependabot configuration file and make an easy schedule adjustment.