Use Dependabot to keep Remix up-to-date
If you use Dependabot to keep your project dependencies up-to-date, and if you use Remix you may have noticed it doesn't send PRs for the private packages of Remix, only the public remix
one and React Router DOM.
This is because the private packages are not published on npm so Dependabot can't find them, but we can configure it to send PRs for them creating a simple file.
In your repository create the file .github/dependabot.yml
with the following content:
version: 2
registries:
# Here you will configure an npm-like registry with the Remix url
npm-remix:
type: npm-registry
url: https://npm.remix.run
# This token is used to authenticate the requests to the registry
token: ${{secrets.REMIX_TOKEN}}
# And because of the config we are going to do we also need to configure the
# normal npm registry and pass a token
npm-npmjs:
type: npm-registry
url: https://registry.npmjs.org
token: ${{secrets.NPM_TOKEN}}
updates:
- package-ecosystem: "npm"
directory: "/"
open-pull-requests-limit: 10
# And here we tell Dependebot to send PRs for npm-like registries using the
# registries we defined above
registries:
- npm-remix
- npm-npmjs
schedule:
interval: "daily"
Now, get your Remix license token and an npm token from this link: https://www.npmjs.com/settings/{USERNAME}/tokens
.
Now go to your repository settings and on GitHub, go to the Secrets option and then to the Dependabot secrets (don't confuse them with the Action secrets), the URL should be something like this https://github.com/{USER_OR_ORG}/{REPO}/settings/secrets/dependabot
Once you are there create a new secret called REMIX_TOKEN
and set its value to your Remix license token and another secret called NPM_TOKEN
and set its value to your npm token.
Now commit your changes and push them to your repository and you are done!
Dependeabot will now be able to send PRs for private Remix packages and the public packages you use from npm.