【Flutter】Introducing Github’s Dependbot.

DevOps


I am personally developing the following Omikuji application for smartphones using Flutter.

[iOS]
https://apps.apple.com/us/app/%E5%A4%A7%E5%BE%A1%E5%BF%83%E3%82%A2%E3%83%97%E3%83%AA/id1627544916

[Android]
https://play.google.com/store/apps/details?id=jp.sikisimanomiti.oomigokoro

What is Dependbot?

When developing an application, you may use libraries as needed. Still, you must also regularly update the libraries you use to prevent the security of the application you are developing from being compromised by fatal vulnerabilities in the libraries, such as the leakage of personal information.

However, it is very tedious and impractical to manually check and update each library you are using one by one.

You can automate the above checks for updates by using Github’s Dependbot.

Dependbot manages dependencies by looking at the manifest file of each language’s packages management mechanism, such as npm’s package.json or python’s Pipfile, to find libraries that are out of date or vulnerable and creates a Pull Request. The system notifies the user.

This time, Dependabot started beta support for pub packages in April 2022, so I will install Dependabot in the repository of the above application.
(*It seems that Dependabot’s pub support does not support security updates because it is beta.)

Support for pub is in beta, and thus, we are aware of some limitations. For example, security updates are not supported in this release but will be in the future.

pub beta support for Dependabot version updates

Install the Dependbot

First, create a .github directory and configuration file under the project directory to get Dependabot working.

$ mkdir .github
$ touch .github/dependabot.yml

The directory structure is now as follows.

$ tree -L 1
.
├── .github
│   └── dependabot.yml
├── backend
└── frontend

Once you create the file, describe the contents of the file. See Configuration options for the dependabot.yml file for available options.

.github/dependabot.yml

version: 2
enable-beta-ecosystems: true
updates:
  - package-ecosystem: "pub"
    directory: "/frontend"
    schedule:
      interval: "weekly"
      time: "09:00"
      timezone: Asia/Tokyo

Once you write, push it to Github.

After pushing, start checking pubspec.yaml in Github.

Check completed. pubspec.yaml and pubspec.lock are now monitored.

Opening the “Pull Request” tab on Github, I found five pull requests notifying me of library updates.

Open the details of flutter_svg‘s pull request.

Currently(as of July 31, 2022), security updates are not yet supported, but now you can keep up with library updates.

コメント

タイトルとURLをコピーしました