Automating dependency updates with Dependabot

Automating dependency updates with Dependabot

The Sprout Social Android mobile app is a powerful native application that keeps our customers connected to their social media presence on the go. As part of our Android app, we maintain over 35 open source community-maintained dependencies that provide useful building blocks for our application.

Our dependencies provide a myriad of features such as frameworks for making network calls, asynchronous image loading, testing tools, and other existing solutions that solve common Android development challenges. Some of these dependencies are necessary to take advantage of core Android libraries, while others help solve common software challenges without having to write all the code from scratch. Each dependency allows us to leverage functionality without having to reinvent the wheel.

At the same time, everyone has a responsibility to keep them updated to ensure that we are aware of new updates in performance, security and functionality. It sounds great on paper, but as any mobile developer knows, manually tracking these updates can be a real burden.

One of our values ​​on the Sprout engineering team is to act with purpose and focus. In that spirit, we set out to implement a smarter solution so we can spend more time building impactful features for our customers. To achieve this, we used the first-party plugin for automated dependency management, Dependabot. Dependabot reduces our volume of obsolete dependencies, simplifies the effort required to update them, and streamlines our overall development process.

Move away from manual maintenance of dependencies

In native Android development, dependencies are declared in a build.gradle file. By specifying the dependency we need with its version, Gradle will resolve it from a central repository and fetch it for use within the application. If an Android app is multi-module, each module has its own build.gradle file that declares the dependencies for that module.

Maintaining these dependencies efficiently is critical to a smooth development process and to providing customers with an effective social media management application that can keep up with the speed of social media. But keeping dependencies up to date becomes a daunting task that requires evaluation of work, version compatibility checks, potential code changes, and testing.

Before Dependabot, we had a manual dependency management process. As the complexity of our application increased, so did the time spent managing dependencies. The team spent significant effort identifying the need for a dependency, then processing it through our agile development workflows to prioritize and update it. We often found that dependencies needed updates during feature development, which introduced the ever-dreaded project scope shift. We needed a better way.

Presentation: Dependabot

Dependency management is not a new concept. Since most of the work required to manage dependencies is repetitive and monotonous, our team thought this would be the perfect candidate for something that could be automated (without falling into the trap of having to write the automation ourselves).

We found Dependabot to be a good fit for our needs: it’s a proprietary tool from GitHub that automatically detects newer versions of dependencies and takes into account any compatibility issues that might be caused by updating them. Presents any version updates as they become available and creates pull requests (PRs) containing information about the update, which we have been able to seamlessly integrate into our regular design workflow. Suddenly we no longer had to spend long hours manually making sure everything was up to date.


Dependabot intelligently analyzes our build.gradle files to determine our dependency tree and creates PRs for any dependencies that need to be updated. For the implementation to be successful, we needed a way to carefully review each PR and streamline PR merges.

A decision tree graph that Dependabot uses to identify any dependencies that need to be updated.

During any release of our Android app, we assign a release manager. We decided to integrate this responsibility into the release manager process, with the expectation that up to five dependency updates will be completed during each release cycle. The release manager reviews the dependency updates discovered by Dependabot, ensures that our continuous integration tests on the PR pass and that there are no breaking changes to the library, then reviews the updates provided by this version increase and brings the list of PR to team for approval to join.

The advantages of automation

Automated dependency management is a powerful tool that significantly improves our development process and the quality of life of our engineers. It also provides users with high value and the latest features within our native mobile application. With a tool like Dependabot, we’ve simplified dependency retrieval, integration, and versioning, reducing the amount of manual effort engineers have to expend and decreasing the possibility of conflicts in our dependency tree.

As the complexity of Android projects continues to grow, adopting automated dependency management was a highly valuable step in ensuring a world-class development process for our team and a world-class Android application for our customers .

To learn more about Sprout’s engineering team and culture, visit our careers site.

Source link

Related Posts

Leave a Reply

Open chat
Scan the code
Hello 👋
Can we help you?