Sergio Xalambrí

Use Dependabot to keep Remix up-to-date

If you use Dependabot to keep your project dependencies up-to-date, and if you use Remix you may have noticed it doesn't send PRs for the private packages of Remix, only the public remix one and React Router DOM.

This is because the private packages are not published on npm so Dependabot can't find them, but we can configure it to send PRs for them creating a simple file.

In your repository create the file .github/dependabot.yml with the following content:

version: 2
  # Here you will configure an npm-like registry with the Remix url
    type: npm-registry
    # This token is used to authenticate the requests to the registry
    token: ${{secrets.REMIX_TOKEN}}
  # And because of the config we are going to do we also need to configure the
  # normal npm registry and pass a token
    type: npm-registry
    token: ${{secrets.NPM_TOKEN}}
  - package-ecosystem: "npm"
    directory: "/"
    open-pull-requests-limit: 10
    # And here we tell Dependebot to send PRs for npm-like registries using the
    # registries we defined above
      - npm-remix
      - npm-npmjs
      interval: "daily"

Now, get your Remix license token and an npm token from this link:{USERNAME}/tokens.

Now go to your repository settings and on GitHub, go to the Secrets option and then to the Dependabot secrets (don't confuse them with the Action secrets), the URL should be something like this{USER_OR_ORG}/{REPO}/settings/secrets/dependabot

Once you are there create a new secret called REMIX_TOKEN and set its value to your Remix license token and another secret called NPM_TOKEN and set its value to your npm token.

Now commit your changes and push them to your repository and you are done!

Dependeabot will now be able to send PRs for private Remix packages and the public packages you use from npm.