November 29, 2023

The Limitations of Dependabot

Allison Pike

Open source software development has revolutionized the way we build and maintain software. Something like 96% of codebases now include open source components. However, one of the significant challenges for any software team relying on open source software is managing dependencies. Dependabot, a tool that automatically scans your project's dependencies and alerts you when a dependency contains a known security vulnerability or has a new version available, is one of the most widely used tools for solving this problem. While it's a valuable addition to any developer's toolkit, it's important to understand that Dependabot is not in and of itself a complete dependency management solution. We’ll explore that here.

1. Lack of Contextual Understanding

Dependabot lacks the ability to assess the impact of a dependency update on your specific repo. This can lead to problems like compatibility issues between a version of a dependency that Dependabot suggests upgrading to and a different dependency that your app relies on. If an incompatibility wouldn’t be caught by your package manager (for example two packages conflicting in a global namespace) it won’t be caught by Dependabot.

Without understanding the specifics of your codebase, Dependabot might initiate PRs that would break your app, creating work for your team to sort through which PRs are safe to merge and which ones are just noise, or potentially risky.

2. Limited Ability to Handle Breaking Changes

Dependabot primarily relies on the version numbers in your manifest files and semantic versioning to determine when to update dependencies. It is the responsibility of the developers on your team to find the changelog associated with the new release of the dependency, review that changelog for breaking changes that apply to your codebase, make the necessary code adjustments to accommodate the new version, test it, and deploy it. There can be complications with every step of this process.

Some open source project maintainers do not keep a changelog in source code, or don’t adhere to semantic versioning. For some packages, no changelog may exist at all. Once you find a changelog, researching the changes and assessing which changes apply or do not apply to your codebase can take a significant amount of time. For example a breaking change might drop support for a language version that your app relies on. In order to address that change, you first need to upgrade your language version, which may be a project in itself that relies on other intertwined dependencies. Even once all of the documented breaking changes are addressed, there may be undocumented incompatibilities between your specific codebase and the new package version. We’ve run into some wild ones, like a patch version of a popular APM provider’s SDK clashing with another popular logging platform, but only under the production environment.

3. It Won’t Dig You Out of a Deep Dependency Hole

The more stale your application, the more outdated dependencies you’ll have and the more likely it is that there are breaking changes between the versions you’re using and the versions that Dependabot will try to get you to. When you first enable Dependabot, it will start opening pull requests to update your outdated dependencies within minutes, up to a maximum of five PRs. But without a holistic strategy to dig out of the hole, you may find yourself overwhelmed and drowning in failing PRs. 

Getting your application to a reasonable state where Dependabot can start generating useful, automated updates often requires some amount (and sometimes a large amount) of upfront planning and upgrade work. Dependabot is not a good solution for an app that’s been left unmaintained.

4. False Positives and Negatives

Dependabot's automated approach sometimes generates false positives and false negatives. It might recommend updates that appear necessary but end up causing issues, or it might not alert you to critical updates that could enhance security or performance. Relying solely on Dependabot's notifications can lead to a false sense of security, and it may neglect important updates that are not clearly indicated by version numbers in maintainer documentation.

5. Incomplete Testing

Dependabot can automatically generate pull requests to update dependencies, but it doesn't ensure these updates won't break your code. This can create new risk when accepting automatic updates. Developers should run their regular test suite after accepting Dependabot-generated pull requests to ensure everything works as expected, but if test coverage is limited, this can create a false sense of security that a Dependabot-generated PR will not break anything. Dependabot works best on apps with robust test coverage.

Dependabot can be a very useful tool when an organization has built significant muscle around researching, changing, and merging PRs generated by its automated system. Absent such guardrails, a more comprehensive platform like Infield can improve your team’s overall dependency management posture and keep you in good shape going forward.