Automating NPM Dependency Updates with GitHub Actions
Discover how to streamline your development with GitHub Actions for automated dependency updates, enhancing efficiency in your CI/CD pipeline.
Maintaining up-to-date dependencies in your software projects is crucial for security, performance, and accessing new features. This task, however, can be tedious and time-consuming.
What are GitHub Actions?
GitHub Actions is a CI/CD (Continuous Integration and Continuous Deployment) platform that allows you to automate your build, test, and deployment workflows right from your GitHub repository.
You can write individual tasks, called actions, and combine them to create a workflow. Workflows are defined by a YAML file in your repository and can be triggered by various GitHub events (like a push, pull request, or scheduled event).
Setting Up an Automatic Dependency Update Workflow
1. Understanding the Workflow File
The YAML file for our workflow, which might be named
.github/workflows/update-dependencies.yml, looks like this:
name: Update Dependencies
- cron: '0 0 * * *' # Runs every day at midnight
This configuration sets up a workflow named “Update Dependencies” that triggers on two occasions: manually (
workflow_dispatch) and on a schedule (
cron: '0 0 * * *', which means every day at midnight).
I like to add the manual configuration (
workflow_dispatch) because it makes testing easier.
The location of the file is important. GitHub looks for these actions to be located in the
2. Configuring the Job
update job runs on the latest Ubuntu runner provided by GitHub and consists of several steps:
Checking out the repository:
actions/checkout@v2checks out your repository, so your workflow can access it. This action is provided by GitHub.
Setting up Node.js:
actions/setup-node@v1sets up the Node.js environment with a specified version (
Installing Yarn: This step installs Yarn, a package manager, using NPM. This step is only required if your application uses Yarn. If your application is based on NPM feel free to skip.
3. Updating Dependencies
The core of our workflow is updating the dependencies:
- name: Update Dependencies
yarn global add npm-check-updates
This step does the following:
npm-check-updates, a tool for upgrading your
package.jsondependencies to the latest versions.
ncu -u(npm-check-updates) which upgrades the
yarn installto install the updated dependencies and generate a new lock file.
4. Creating a Pull Request
Finally, the workflow uses the
peter-evans/create-pull-request@v3 action to create a pull request with the updated
The pull request will include a predefined message, title, and branch name. What you decide to put in the message is entirely up to you.
- name: Create Pull Request
commit-message: Update dependencies
title: '[DEPENDENCY] Update Dependencies'
Updates dependencies in `package.json`.
5. Running the Action
The action will run automatically at midnight or whenever you trigger using the manual run workflow trigger (
Actions > Update Dependencies > Run workflow).
When the action finds dependencies to update, it will automatically create a PR with the required changes that you can merge at your leisure.
By automating the dependency update process using GitHub Actions, you can significantly reduce the manual effort involved in keeping your project dependencies current.
You can find a complete example of this code here (I use this to keep my personal site up-to-date).