Skip to main content

Using dependabot-gitlab in standalone mode with comment commands

·2 mins
Tech

dependabot-gitlab is an incredible port of Github’s open source dependabot-core to Gitlab. It supports nearly all of the same features as the original Github version. In addition, it provides dependabot-standalone, a Gitlab CI/CD component that allows dependabot to be used in a standalone, stateless fashion without needing any infrastructure support besides normal Gitlab runners. This is gold, because it avoids unnecessary cost and complexity maintaining yet another service.

The main feature missing from dependabot-standalone is that it doesn’t suppport “recreating” merge requests by commenting @dependabot recreate on a merge request. I find that when there are many dependabot MRs in flight each trying to update a different dependency, conflicts between them are almost inevitable due to the use of files like pubspec.lock and package-lock.json. In cases like this, it’s nice to be able to quickly recreate the MR as the changes are merged one by one without needing to manually resolve the conflicts locally. Thankfully, I’ve found a relatively easy workaround that still preserves the clean, stateless nature of dependabot-standalone. This post shows how it works.

First, I updated dependabot-standalone to support a new $DEPENDENCY variable that when defined runs dependabot:update_single_dependency to update a single dependency MR instead of the normal full scan. This update also optionally supports passing $FORCE_RECREATE that, when true, forces the MR to be recreated in all cases. For my purposes, this is exactly what I want.

Second, I used make.com to create a simple scenario that takes Gitlab comments notifications as webhook events, filters for those that contain the @dependabot recreate magic text, and finally creates a new Gitlab pipeline to run dependabot to update that MR. By parsing the Gitlab MR title for the name of the dependency, I’m able to create a pipeline with the right variables needed to run dependabot:update_single_dependency. It should be possible to achieve the same thing with other automation platforms like n8n.io or Zapier. Done! Now I can easily recreate MRs with a simple comment command without needing to maintain additional infrastructure.