Dependabot for Dart and Flutter

You may be wondering what Dependabot is. Basically we could say that GitHub has a security tool that periodically checks the dependencies of your application through Pull Requests, both from a security point of view, alerting you if any dependency in your repository is vulnerable or if there is simply a new version available and you want to be notified or directly make a Pull Request to upgrade the dependency. The number of options available are as follows:

Unfortunately it is not available for all the programming languages we want, but since more than half a year ago Dependabot already supports security updates for Dart and Flutter applications that use Pub packages. This will allow us to get notifications for each dependency manager that we have configured in the project. Taking into account that Flutter generates a native project for each platform, we can choose if we only want to be notified with the Flutter Pub dependency manager or if we also want it for Android and iOS. In the latter case, since Flutter uses Cocoapods as dependency manager, we won't be able to use Dependabot for the iOS project it creates internally since, as we can see, it officially only supports the native dependency manager Swift Package Manager.

Steps for Dependabot configuration in Flutter

1. Creating the structure 

The first thing we need to do is create a .github directory in the root of the project if we don't already have it created as it is also used if your project uses continuous integration within GitHub. 

Then we must add a file inside the .github directory called dependabot.yml as we can see below:

2. Giving value to the file

Now it's time to choose whether we want to be notified only with the Flutter dependency manager (Pub) or if we also want it for Android and iOS.  Within the dependabot.yml file we will configure for each dependency manager the frequency with which we want this to be analysed as well as the directory in which it is located and we could even configure a limit to the maximum number of pull requests.

If you notice in the first entry inside the file there is a version number, this is used internally by GitHub when updating the configuration of this file. As you can see I have configured both Flutter and Android dependency manager, at the same time, with a weekly frequency and no limit of Pull Requests.

3. Enabling Dependabot on GitHub

Following the excellent documentation on GitHub:

    1. We will go to the configuration of our project.

    2. In the Security section of the sidebar:

3.  Here we will be able to enable all the configurations we want, in my case I wanted to explore all the available configurations:

Conclusion

Dependabot is an excellent tool that saves me time and effort because now when I perform Pull Requests to my branches Dependabot is part of my continuous integration helping me to keep my projects secure and up to date. 

Although I have to admit that when I activated Android to see what data Dependabot was giving me I had to deactivate it because it started to give me updates that did not pass my continuous integration:

This happens because Dependabot configures in Gradle the dependencies to a higher version (the last one available in the package manager). While Flutter configures the version of the dependency in Gradle with the one that is marked in the latest version available in the package published in the dependency manager. So I decided to disable the Android check, leaving the dependabot.yml file as follows: