How to easily keep your dependencies up-to-date

It is a good idea to keep the dependencies of your software project up-to-date. If you don’t do it on a regular basis, you will end up with out dated dependencies.

If you wait long enough, it is going to be really unpleasant to do those updates. Maybe you are in a hurry because there are some security issues you need to address.

But updating dependencies is a very dull process. Luckily, there are tools for that.

Dependabot is probably one of the most known tools from that area. Therefore I do not think, you’ll need an introduction. But if you are using Gradle as a build tool there are some restrictions you should be aware of.

In short: only if you specify your dependency versions at some special places, dependabot is able to help you.

But what do you do if there is no support for dependabot? Or if you simply do not want to use it?

Refresh Versions for the rescue

I recently stumpled upon the Gradle plugin refreshVersions. As it sounded promising I gave it try.

This plugin is using the Gradle API and some conventions to allow managing of dependency versions in a plain text file called versions.properties.

As soon as you have set it up, a simple gradle refreshVersions will check for newer versions of your dependencies and will add those as comments in versions.properties.

It adds only comments because the plugin authors are of the opinion that a human should decided whether to upgrade a dependency or not. But the heavy lifting of finding dependency update candidates should be done by a machine.

You can use those comments as markers about which update you already know. That means if you cannot update to a certain version, just commit the comments and refreshVersions will not bug you anymore.

There is even a Gradle Task to help you migrating already existing projects.

For all of you who want a similiar integration to what dependabot offers, the documentation describes how to do it on github. Sadly, I was not able to get it running.

With some adjustments it worked like a charm.

If you try it on one of your repositories be sure that you allowed Github Actions to create and approve pull requests.

Since all of this is not very complicated it should be fairly easy to adapt my example to other CI-Tools.

Differences between dependabot and refreshVersions

I have to admit that dependabot is more comfortable to set up and has better pull request names (E.g. the dependency to upgrade is included in the name).

Additionally, dependabot has one pull request per dependency. Whether that is an advantage or not is up to you.

What I definitely consider an advantage: You can run version updates on any machine at any time you want. You are no longer depending on an external service.

Conclusion

Even if you cannot or do not want to use tools like dependabot, there is a reasonable alternative to update your depedencies (almost) automatically. That means there is no reason not to start doing it. This way you can keep even your small pet projects up-to-date without any hassle.

To see both solutions in action I created two minimalist examples. They do not contain any code, just some out dated dependendcies.

• Updates via dependabot (using Gradle version catalogs)
• Updates via refreshVersions

You can see some example pull requests as well. The one named Upgrade dependencies is from the refreshVersions plugin. Those that start with Bump are from dependabot.