How can I stop babysitting Dependabot?

I recently switched over to the new, native version of Dependabot. Prior to this switch, my Dependabot usage was practically “set it and forget it”. Every now and then I had to update some code to get CI passing again, but it was hands-off for the most part.

However, after switching, I now find myself spending literal hours managing pull requests. The native version of Dependabot no longer automatically merges PRs, nor does it seem to automatically rebase all open PRs when they become out-of-date.

For example, in one of my private repos, I currently have four open PRs from Dependabot, one of which is two commits behind main and two of which are eight commits behind. Only one PR is ahead of main. Furthermore, all four PRs have green checks, and there’s no indication that they’re out-of-date with the base branch. The only way I’ve found to fix this is to manually go through these PRs, one at a time, and comment @dependabot rebase, then wait for CI to finish, and then merge once things are green.

Am I doing something wrong here? I know that I need to manually merge PRs now, but do I really need to manually rebase them as well?

2 Likes

Hi @dstaley and thanks for making your first post in the forum!

Here are some other threads discussing automerge that will help to shed light on what is happening here.

The Dependabot team is aware that folks want to automerge their dependencies. Please see https://github.com/github/dependabot-updates/issues/225 for alternatives.

The team workin on Dependabot native let me know that they were not opposed to adding always as a rebase-strategy .

Keep an eye on our Changelog as well as the GitHub public roadmap to see features we are working on.

Hey, thanks for the update! I’m actually okay with manually reviewing PRs. What I’m struggling with is the fact that PRs don’t auto-rebase when out-of-sync with the target branch. I’ve filed a feature request here.

1 Like

Hi @dstaley I found this thread a few days ago when I was having the same problem. I don’t know if you ever solved it yourself, but I ended up creating this workflow that just runs when commits are added to the main branch and adds a @dependabot rebase comment to each dependabot PR when commits are added to the main branch. That gives dependabot a kick to update it’s branch.

1 Like