Adding dependencies to a project often helps you not reinvent the wheel. But at the same time it can cause issues in many different aspects of the project:

将依赖项添加到项目中通常可以帮助您不必浪费时间。 但是同时，它可能在项目的许多不同方面引起问题：

• Versioning: sometimes dependencies can require specific versions of other dependencies and this can cause hiccups in your app版本控制：有时依赖项可能需要其他依赖项的特定版本，这可能会导致应用程序出现故障
• Bundling: you need to be careful not to end up with too much extra code that will bloat your bundles捆绑：您需要注意不要以过多的额外代码结束，这些额外的代码会使捆绑包膨胀
• Updating: JavaScript moves fast, and if you don't update packages regularly you'll be playing Jenga in the future.更新：JavaScript运行Swift，如果您不定期更新软件包，则将来会玩Jenga。

There are different tools to cover the task of updating dependencies, like Dependencies.io, Snyk, and Dependabot. Since I have been using Dependabot for a while, I decided to write about my experience.

有很多工具可以满足更新依赖项的任务，例如Dependencies.io ， Snyk和Dependabot 。 由于使用Dependabot已有一段时间，因此我决定写自己的经验。

Dependabot is a tool acquired by GitHub a year ago that checks dependency files from different languages (Ruby, JavaScript, Python, PHP, Elixir, to name a few) and finds new versions of libraries you are using in your project. Here is the setup:

Dependabot是GitHub一年前购买的工具，用于检查来自不同语言(例如Ruby，JavaScript，Python，PHP，Elixir等)的依赖项文件，并查找项目中使用的库的新版本。 这是设置：

Daily updates can be overwhelming, and I think that weekly updates have a better cost/benefit. Also, I assign myself the Pull Requests so I can get notifications as soon they are opened.

每日更新可能不胜枚举，我认为每周更新具有更好的成本/收益。 另外，我为自己分配了“拉取请求”，这样我就可以在打开请求后立即收到通知。

如何有效使用Dependabot (How to use Dependabot effectively)

Dependabot includes, in each PR, release notes, changelogs, commit links and vulnerability details whenever available. This is useful because you can take a look at the information and decide to proceed or not.

Dependabot在每个PR中都包括发行说明，变更日志，提交链接和漏洞详细信息(如果可用)。 这很有用，因为您可以查看信息并决定是否继续。

However, as pragmatic programmers, we want to ensure things won't break. The PR details are important but more than that, we want a simulation of all (or almost all) deliverables that the project has.

但是，作为务实的程序员，我们希望确保一切都不会中断。 PR的细节很重要，但除此之外，我们还需要模拟项目中所有(或几乎所有)可交付成果。

This screenshot shows what happens every time a PR is opened in the components library codebase of my work.

此屏幕快照显示了每次在我的组件库代码库中打开PR时发生的情况。

• Tests (Jest / Bundle): the Jest task will test the React components while the Bundle task will simulate the bundling commands we run when we want to update the package in the NPM registry

  测试(Jest / Bundle) ：Jest任务将测试React组件，而Bundle任务将模拟我们要更新NPM注册表中的包时运行的捆绑命令

• Linters (Stylesheets / JavaScript): the stylesheet files follow a custom sass-lint setup and the JS code follows a series of ESLint rules. If a PR introduces a new version of a linter with new rules, we will be able to capture that.

  Linters(样式表/ JavaScript) ：样式表文件遵循自定义的sass-lint设置，而JS代码遵循一系列ESLint规则。 如果PR引入了具有新规则的短绒棉新版本，我们将能够捕获到它。

• Cypress (Screenshot Testing / Accessibility Testing): if a new package introduces changes that may be reflected in the look and feel of components, Cypress will capture the difference, screenshot it, and store in S3. Since Cypress needs a live version of the documentation website, we also get the Gatsby build process covered.

  赛普拉斯(屏幕快照测试/可访问性测试) ：如果新软件包引入了可能反映在组件外观上的更改，则赛普拉斯将捕获差异并将其截图并存储在S3中。 由于赛普拉斯需要文档网站的实时版本，因此我们也涵盖了盖茨比的构建过程。

With all these steps, it is very unlikely an external package will break our master branch. Kudos to my co-worker Grant Lee that also works on this project.

通过所有这些步骤，外部软件包几乎不可能破坏我们的master分支。 我的同事格randint·李(Grant Lee)也参与这个项目，对此我感到很荣幸。

Also posted on my blog. If you like this content, follow me on Twitter and GitHub. Cover photo by Zhang Kenny on Unsplash

也张贴在我的博客上 。 如果您喜欢此内容，请在Twitter和GitHub上关注我。 张肯尼的封面照片在《 Unsplash》上

翻译自: https://www.freecodecamp.org/news/using-dependabot-to-keep-your-environment-up-to-date/