Skip to main content

Dependabot for Dart and Flutter

Dependabot for GitHub projects.

You may be wondering what Dependabot is. Basically we could say that GitHub has a security tool that periodically checks the dependencies of your application through Pull Requests, both from a security point of view, alerting you if any dependency in your repository is vulnerable or if there is simply a new version available and you want to be notified or directly make a Pull Request to upgrade the dependency. The number of options available are as follows:

Dependabot configuration window on GitHub.

Unfortunately it is not available for all the programming languages we want, but since more than half a year ago Dependabot already supports security updates for Dart and Flutter applications that use Pub packages. This will allow us to get notifications for each dependency manager that we have configured in the project. Taking into account that Flutter generates a native project for each platform, we can choose if we only want to be notified with the Flutter Pub dependency manager or if we also want it for Android and iOS. In the latter case, since Flutter uses Cocoapods as dependency manager, we won't be able to use Dependabot for the iOS project it creates internally since, as we can see, it officially only supports the native dependency manager Swift Package Manager.

List of dependabot tool support on GitHub by language and features supported.

Steps for Dependabot configuration in Flutter

1. Creating the structure 

The first thing we need to do is create a .github directory in the root of the project if we don't already have it created as it is also used if your project uses continuous integration within GitHub. 

Then we must add a file inside the .github directory called dependabot.yml as we can see below:

Android Studio file explorer with the .github folder containing the dependabot.yml file with the tool configuration.

2. Giving value to the file

Now it's time to choose whether we want to be notified only with the Flutter dependency manager (Pub) or if we also want it for Android and iOS.  Within the dependabot.yml file we will configure for each dependency manager the frequency with which we want this to be analysed as well as the directory in which it is located and we could even configure a limit to the maximum number of pull requests.

Contents of the dependabot.yml file for the dependabot configuration on GitHub.

If you notice in the first entry inside the file there is a version number, this is used internally by GitHub when updating the configuration of this file. As you can see I have configured both Flutter and Android dependency manager, at the same time, with a weekly frequency and no limit of Pull Requests.

3. Enabling Dependabot on GitHub

Following the excellent documentation on GitHub:

    1. We will go to the configuration of our project.

GitHub with a project selected with the Settings tab open.

    2. In the Security section of the sidebar:

Security menu within a GitHub project's configuration.

3.  Here we will be able to enable all the configurations we want, in my case I wanted to explore all the available configurations:

Dependabot security section within the configuration of a project on GitHub.


Dependabot is an excellent tool that saves me time and effort because now when I perform Pull Requests to my branches Dependabot is part of my continuous integration helping me to keep my projects secure and up to date. 

Actions triggered automatically after executing the trigger configured in the security section of the project.

Although I have to admit that when I activated Android to see what data Dependabot was giving me I had to deactivate it because it started to give me updates that did not pass my continuous integration:

List of Pull Requests in GitHub generated by Dependabot when detecting new versions of Flutter dependencies after running the configured trigger.

This happens because Dependabot configures in Gradle the dependencies to a higher version (the last one available in the package manager). While Flutter configures the version of the dependency in Gradle with the one that is marked in the latest version available in the package published in the dependency manager. So I decided to disable the Android check, leaving the dependabot.yml file as follows:

Full content of dependabot.yml for a Flutter project on GitHub.


© 2020 Mobile Dev Hub