Skip to main content

Reviewing and Merging Dependabot Pull Requests

This guide explains how to triage, review, test, and safely merge GitHub Dependabot pull requests.

We use Dependabot to automatically keep our dependencies up to date across projects. It helps ensure our applications remain secure, compatible, and maintainable by regularly checking for new versions and security patches.

Steps to Review and Merge Dependabot PRs

1. Open and Understand the PR

  • Open the Dependabot PR in GitHub.
  • Carefully read the changelog, release notes, and any linked advisories or migration guides.
  • Identify whether it’s a patch, minor, or major update, and note potential breaking changes.

2. Pull and Test Locally

  • Pull the branch locally to test the update in your environment.
  • Run the full test suite:
    • Unit tests
    • Integration tests
    • Linting
    • Build
  • Exercise critical paths in the application.

3. Verify CI Pipelines

  • Ensure all pipeline jobs (build, tests, lint) have passed successfully.
  • If any step fails, review the error logs to determine whether the issue stems from the dependency change.

4. Infrastructure and Configuration Updates

For Terraform, GitHub Actions, or Docker updates: - Run a dry-run or plan (e.g. terraform plan, docker build) and inspect the diff. - Confirm there are no unexpected infrastructure or configuration drifts.

5. Apply or Adjust Code Changes if Needed

  • If the dependency introduces breaking or deprecating changes, update the relevant code accordingly.
  • Ideally, push changes to the same PR to keep it self-contained and traceable.

6. Deploy and Validate in Non-Production

  • Deploy the PR to a dev and pre-production environment.
  • Follow the guidance outlined in Production Deployments & Release Management.
  • Use the relevant Dependabot Change Management template to ensure the change is correctly assessed and approved.
  • Run smoke tests and validate key user journeys.
  • Confirm that the system behaves as expected before proceeding to production.

7. Merge and Monitor

  • Schedule the merge during a low-risk deployment window.
  • Merge with a clear and descriptive commit message.
  • After deployment, monitor logs, dashboards, and alerts for anomalies.

Precautions

  • Be mindful of major version bumps or risky updates.
  • Some packages introduce breaking changes even in minor updates.
  • When in doubt, pair review and run the PR locally or in a dev environment before approval.
  • Be prepared to roll back quickly if any regressions or issues arise.
This page was last reviewed on 30 January 2026. It needs to be reviewed again on 30 July 2026 by the page owner #nvvs-devops .