Warning This project is now deprecated due to dependabot's API changing. You should use RenovateBot instead, which does the same thing now.

Github includes an awesome feature called Dependabot, which automatically creates pull requests to update your outdated dependencies. It supports automatically merging those pull requests, but sadly does not have a blacklist for troublesome updates.

Behold, Dependamerge! Dependamerge lets you push Dependabot to its limits by automatically merging all pull requests. You can run it only when your tests pass on continuous integration, or, for the more adventurous, you could have it merge anything no matter what. Importantly, it also allows you to blacklist pesky updates.

npm install --save-dev dependamerge

Create a dependamerge.json file in your project's root directory. It accepts the following fields:

Create a personal access token on Github that has access to your repository. Then add it as an environment variable in your continuous integration software.

Invoke Dependamerge after your continuous integration software successfully finishes testing pull requests. Don't worry, it will ignore pull requests by users other than Dependabot. Be sure to pass it the pull request's number and the Github token created in step 3. On Travis CI this is accomplished by adding the following snippet to travis.yml.

after_success:
    - 'if [ $TRAVIS_PULL_REQUEST != "false" ]; then node
      node_modules/dependamerge/src/index.js $TRAVIS_PULL_REQUEST $GITHUB_TOKEN; fi'

Perfect your origami skills with all that time you saved.

Automatically updating your dependencies can easily introduce bugs without you noticing. Ensure that you have strong test coverage before installing Dependamerge, or make liberal use of the neverUpdate and the onlyUpdatePatches settings to avoid accidentally introducing bugs.

Contributions would be much appreciated! Please open an issue to get started.