How toUse Dependabot to keep Remix up-to-date

If you use Dependabot to keep your project dependencies up-to-date, and if you use Remix you may have noticed it doesn't send PRs for the private packages of Remix, only the public remix one and React Router DOM.

This is because the private packages are not published on npm so Dependabot can't find them, but we can configure it to send PRs for them creating a simple file.

In your repository create the file .github/dependabot.yml with the following content:

version: 2
registries:
  # Here you will configure an npm-like registry with the Remix url
  npm-remix:
    type: npm-registry
    url: https://npm.remix.run
    # This token is used to authenticate the requests to the registry
    token: ${{secrets.REMIX_TOKEN}}
  # And because of the config we are going to do we also need to configure the
  # normal npm registry and pass a token
  npm-npmjs:
    type: npm-registry
    url: https://registry.npmjs.org
    token: ${{secrets.NPM_TOKEN}}
updates:
  - package-ecosystem: "npm"
    directory: "/"
    open-pull-requests-limit: 10
    # And here we tell Dependebot to send PRs for npm-like registries using the
    # registries we defined above
    registries:
      - npm-remix
      - npm-npmjs
    schedule:
      interval: "daily"

Now, get your Remix license token and an npm token from this link: https://www.npmjs.com/settings/{USERNAME}/tokens.

Now go to your repository settings and on GitHub, go to the Secrets option and then to the Dependabot secrets (don't confuse them with the Action secrets), the URL should be something like this https://github.com/{USER_OR_ORG}/{REPO}/settings/secrets/dependabot

Once you are there create a new secret called REMIX_TOKEN and set its value to your Remix license token and another secret called NPM_TOKEN and set its value to your npm token.

Now commit your changes and push them to your repository and you are done!

Dependeabot will now be able to send PRs for private Remix packages and the public packages you use from npm.