Table of Contents
Overview
When developing in a Monorepo environment, you need to manage many dependency libraries. By using GitHub’s Dependabot, you can automatically detect dependency library updates and create PRs.
However, as the number of PRs generated by Dependabot increases, it becomes difficult to determine which PRs should be processed first and which tests should be performed.
In this blog post, we will learn about the Standard Operating Procedure (SOP) for efficiently processing Dependabot-generated PRs.
PR Classification
Basic Classification Criteria
To handle Dependabot PRs, you first need to understand the risk level of each library. You can use the following table to classify the risk level of libraries.
| Criteria | High Risk | Medium Risk | Low Risk |
|---|---|---|---|
| Production Runtime | O (Runtime) | △ (Partial Runtime) | X (devDependency) |
| Scope of Impact | All Apps | Specific Features/Apps | Development Only |
| Issue Detection | Manual Test Needed | Partially CI Detectable | Fully CI Detectable |
| User Impact | Direct | Indirect | None |
Risk Adjustment by Version
You can adjust the risk based on the library category and the type of version being updated.
| Library Category | Major | Minor | Patch |
|---|---|---|---|
| High Risk (react, etc.) | 🔴 High | 🟡 Med | 🟡 Med |
| Medium Risk Runtime (axios) | 🟡 Med | 🟡 Med | 🟢 Low |
| Medium Risk CI Detectable (vite) | 🟡 Med | 🟢 Low | 🟢 Low |
| Low Risk Runtime (lodash) | 🟡 Med | 🟢 Low | 🟢 Low |
| Low Risk Dev Tools (@types) | 🟢 Low | 🟢 Low | 🟢 Low |
Classification Flowchart
Using the basic classification criteria and version-based risk adjustment, you can create the following flowchart. This flowchart makes it easy to classify when adding new libraries or reviewing Dependabot PRs.
Adding a New Library
│
▼
┌───────────────────────────────────┐
│ 1. Used in Production (Runtime)? │
└───────────────────────────────────┘
│
┌───┴───┐
│ │
Yes No → Low Risk (Dev Tool)
│
▼
┌───────────────────────────────────┐
│ 2. Affects All Apps? │
└───────────────────────────────────┘
│
┌───┴───┐
│ │
Yes No → Check Scope
│ │
│ ▼
│ Specific App → Medium Risk (Runtime)
│ or
│ Low Risk (Runtime)
▼
┌───────────────────────────────────┐
│ 3. CI Detectable? │
└───────────────────────────────────┘
│
┌───┴───┐
│ │
Yes No → High Risk
│
▼
Medium Risk (CI Detectable)High Risk
High-risk libraries have the following characteristics:
- Direct impact on production (runtime)
- Affects all apps
- Manual testing required
Target Libraries
| Library | Version | Description | Impact |
|---|---|---|---|
| react | Major | UI Framework Core | Affects All Apps |
| react-dom | Major | React DOM Renderer | Affects All Apps |
| @reduxjs/toolkit | Major | State Management Core | Affects All Apps on API Change |
| react-redux | Major | Redux Binding | Affects State Management |
| react-router-dom | Major | Routing System | Affects Navigation |
Handling Method
- Verify CI passes (run all tests)
- Check CHANGELOG and Breaking Changes
- Check migration guide (if applicable)
- Test all apps and team member review
Medium Risk
Medium-risk libraries have the following characteristics:
- Partial impact on production (runtime)
- Detectable in build (CI)
Target Libraries
Minor, Patch Updates of High-Risk Libraries
| Library | Version | Description | Impact |
|---|---|---|---|
| react | Minor, Patch | UI Framework Core | Affects All Apps |
| react-dom | Minor, Patch | React DOM Renderer | Affects All Apps |
| @reduxjs/toolkit | Minor, Patch | State Management Core | Affects All Apps on API Change |
| react-redux | Minor, Patch | Redux Binding | Affects State Management |
| react-router-dom | Minor, Patch | Routing System | Affects Navigation |
Major Updates of CI Detectable (Build/Test/Lint)
| Library | Version | Description | Impact |
|---|---|---|---|
| vite | Major | Build Tool | All App Build |
| typescript | Major | Type System | All App Build |
| @vitejs/plugin-react | Major | Vite React Plugin | All App Build |
| turbo | Major | Monorepo Build Tool | CI/CD |
| jest | Major | Test Framework | All App Tests |
| vitest | Major | Test Framework | All App Tests |
| @playwright/test | Major | E2E Testing | E2E Tests |
| eslint | Major | Linter | Code Quality |
| @typescript-eslint/* | Major | TypeScript ESLint | Code Quality |
| storybook | Major | Component Docs | components Package |
| @storybook/* | Major | Storybook Related | components Package |
Major, Minor Updates with Runtime Impact
| Library | Version | Description | Impact |
|---|---|---|---|
| axios | Major, Minor | HTTP Client | All App API Calls |
| i18next | Major, Minor | i18n Support | All App i18n Parts |
| react-i18next | Major, Minor | React i18n Binding | All App i18n Parts |
| konva | Major, Minor | Canvas Library | Specific Apps Only |
| react-konva | Major, Minor | Konva React Binding | Specific Apps Only |
| recharts | Major, Minor | Chart Library | Specific Apps Only |
Major Updates of Low-Risk Runtime Utilities
| Library | Version | Description | Impact |
|---|---|---|---|
| lodash | Major | Utility | Used in Production |
| js-cookie | Major | Cookie Utility | Used in Production |
| date-fns | Major | Date Utility | Used in Production |
| clsx | Major | ClassName Utility | Used in Production |
| react-ga4 | Major | Google Analytics | Some Apps Only |
| qrcode.react | Major | QR Code Generation | Specific Apps Only |
| react-hotkeys-hook | Major | Keyboard Shortcuts | Specific Apps Only |
| papaparse | Major | CSV Parsing | components Only |
Handling Method
- Verify CI passes (run all tests / specific app tests)
- Check CHANGELOG
- Test affected apps and team member review
You can check affected apps with the yarn why <package> command.
Low Risk
Low-risk libraries have the following characteristics:
- Development tools
- Directly detectable in CI
- No impact on users
Target Libraries
Minor, Patch Updates of CI Detectable (Build/Test/Lint)
| Library | Version | Description | Impact |
|---|---|---|---|
| vite | Minor, Patch | Build Tool | All App Build |
| typescript | Minor, Patch | Type System | All App Build |
| @vitejs/plugin-react | Minor, Patch | Vite React Plugin | All App Build |
| turbo | Minor, Patch | Monorepo Build Tool | CI/CD |
| jest | Minor, Patch | Test Framework | All App Tests |
| vitest | Minor, Patch | Test Framework | All App Tests |
| @playwright/test | Minor, Patch | E2E Testing | E2E Tests |
| eslint | Minor, Patch | Linter | Code Quality |
| @typescript-eslint/* | Minor, Patch | TypeScript ESLint | Code Quality |
| storybook | Minor, Patch | Component Docs | components Package |
| @storybook/* | Minor, Patch | Storybook Related | components Package |
Patch Updates with Runtime Impact
| Library | Version | Description | Impact |
|---|---|---|---|
| axios | Patch | HTTP Client | All App API Calls |
| i18next | Patch | i18n Support | All App i18n Parts |
| react-i18next | Patch | React i18n Binding | All App i18n Parts |
| konva | Patch | Canvas Library | Specific Apps Only |
| react-konva | Patch | Konva React Binding | Specific Apps Only |
| recharts | Patch | Chart Library | Specific Apps Only |
Pure Development Tools (All Versions)
| Library | Version | Description | Impact |
|---|---|---|---|
| @types/* | Major, Minor, Patch | Type Definitions | Dev Only |
| prettier | Major, Minor, Patch | Code Formatter | Dev Only |
| stylelint | Major, Minor, Patch | Style Linter | Dev Only |
| eslint-config-* | Major, Minor, Patch | ESLint Config | Dev Only |
| eslint-plugin-* | Major, Minor, Patch | ESLint Plugins | Dev Only |
| @testing-library/* | Major, Minor, Patch | Test Utilities | Test Only |
| ts-jest | Major, Minor, Patch | Jest TypeScript | Test Only |
| @vitest/ui | Major, Minor, Patch | Vitest UI | Test Only |
| sass | Major, Minor, Patch | SCSS Compiler | Build Only |
| husky | Major, Minor, Patch | Git Hooks | Dev Only |
| lint-staged | Major, Minor, Patch | Staged File Lint | Dev Only |
| remark-* | Major, Minor, Patch | Markdown Lint | Dev Only |
| cspell | Major, Minor, Patch | Spell Check | Dev Only |
| chromatic | Major, Minor, Patch | Visual Testing | components Only |
Minor, Patch Updates of Low-Risk Runtime Utilities
| Library | Version | Description | Impact |
|---|---|---|---|
| lodash | Minor, Patch | Utility | Used in Production |
| js-cookie | Minor, Patch | Cookie Utility | Used in Production |
| date-fns | Minor, Patch | Date Utility | Used in Production |
| clsx | Minor, Patch | ClassName Utility | Used in Production |
| react-ga4 | Minor, Patch | Google Analytics | Some Apps Only |
| qrcode.react | Minor, Patch | QR Code Generation | Specific Apps Only |
| react-hotkeys-hook | Minor, Patch | Keyboard Shortcuts | Specific Apps Only |
| papaparse | Minor, Patch | CSV Parsing | components Only |
Handling Method
- Verify CI passes
- Review by auto-assigned member
Processing Schedule
To efficiently process PRs for the classified library version updates, you can create the following weekly schedule.
| Day | Task |
|---|---|
| Monday | Check Dependabot PRs, Assign Reviewers |
| Tuesday~Wednesday | Merge Low/Medium Risk PRs |
| Thursday~Friday | Review and Test High Risk PRs |
This schedule can be adjusted according to your team’s situation.
Priority Guidelines
While it’s ideal to process all PRs quickly, when resources are limited, you need to set priorities. For example, you can use the following guidelines:
- Patch: Process when 5 or more accumulate (handle security vulnerabilities immediately)
- Minor: Process when 2 or more accumulate (handle security vulnerabilities immediately)
- Major: Process after team discussion
Conclusion
This concludes our look at risk classification criteria for efficiently processing Dependabot PRs.
In the next post, we will learn about Dependabot configuration and automation methods using GitHub Actions based on these classification criteria.
Was my blog helpful? Please leave a comment at the bottom. it will be a great help to me!
App promotion
Deku.Deku created the applications with Flutter.If you have interested, please try to download them for free.
