Thanks for your comment!

I guess the core of my answer is just that I’m lazy 😂. I got sick of manually upgrading the packages in my projects. Most of the upgrades for stuff like url_launcher for example are minor but it gets updated somewhat often.

I get what you mean about semantic versioning though, some people don’t follow it and you get issues once in awhile. For a project in production that has a lot of users I would leave out the major version flag. There is definitely risk involved with breaking things but I feel like it is worth it personally.

To be honest the idea of things breaking did horrify me a bit at first but I thought I’d try it out anyway and I’m slowly warming to it. I’ve set my own Actions to run once a week and I haven’t had any major problems yet(we’ll see how things go though…). There are still projects I have that I upgrade manually. Opinions are definitely divided but there must be demand for it considering things like Dependabot exist. 😅

Jordan Holland

Agreed, but Dependabot exists purely for security purposes and is an alerting tool first and foremost.

It's not often that it automatically creates the PR for the fix and in the end, you still need to approve the merge so it leaves the decision 100% in the hands of the developer, it does not make the choices for you.

Personally use the IDE plugin to inform me when package updates are available, I can then open the spec and just click "accept". That way the analyzer has a heart attack if there are breaking changes and I can simply "ctrl+z" and carry on with my life until I feel like dealing with it.

Reme Le Hane I'm not sure if I agree with that. If you go on the homepage it says 'Automated dependency updates' and below that it says 'Dependabot creates pull requests to keep your dependencies secure and up-to-date.' then if you look at the the 'How it works' flow it says 'Dependabot pulls down your dependency files and looks for any outdated or insecure requirements.' then 'If any of your dependencies are out-of-date, Dependabot opens individual pull requests to update each one.' (dependabot.com)

Security is definitely a part of it but I'd say the automated dependency updates are just as important. Maybe it started out with a security focus, but there are now even StackOverflow questions about how to configure it just to do security updates(stackoverflow.com/a/64145646) (apparently you don't even need to configure it in your repo anymore since GitHub acquired it, it just does it automatically for security updates now and I've seen it do this in some of my NodeJS/Javascript repos).

I'm not saying what I wrote above is a replacement or better than Dependabot, it is way too basic. If there was proper Dependabot support I would just use that(fingers crossed it happens soon 😅).

What you said about PRs, the same thing applies to what I wrote above in the action - you need to merge the changes for them to take affect it doesn't auto merge the PR for you it just creates it. You have to make a conscious decision to merge it.

The big difference is it doesn't update things one by one like Dependabot or have the same level of granular settings. If you are worried about the project breaking I think it'd just be a matter of running flutter build apk like I wrote above and it would tell you if you had any issues(then the action would fail, same as if your tests failed - the PR wouldn't even be created).

As far as the IDE plugin goes that actually sounds pretty nice, what are you using Android Studio or Visual Studio Code?