← Back to Blog

Setting Up Automated Dependency Updates in 5 Minutes

6 min read

A step-by-step tutorial for setting up Aiori's automated dependency management. Get AI-powered updates with code fixes running in under 5 minutes.

automated dependency updatesAiori setupdependency automation tutorialGitHub app setupautomated code fixesdependency management guidenpm automationcontinuous maintenance

What You'll Achieve in 5 Minutes

By the end of this tutorial, you'll have:
- Aiori installed on your GitHub repositories
- Automatic scanning for outdated dependencies and security vulnerabilities
- AI-powered code fixes for breaking changes
- Pull requests that actually work, not just version bumps

No complex configuration. No YAML files. Just working automated maintenance. Let's get started.

Prerequisites

Before you start, make sure you have:
- A GitHub account with admin access to at least one repository
- A repository with npm (package.json), Python (requirements.txt), or both
- A test suite (recommended but not required)
- 5 minutes of uninterrupted time

That's it. You don't need to install anything locally or configure API keys. Aiori runs as a GitHub App, so everything happens in the cloud.

Step 1: Install the Aiori GitHub App (1 minute)

1.1 Go to the Aiori installation page:
Visit [aiori.ai](https://aiori.ai) and click 'Connect GitHub' or go directly to [github.com/apps/aiori-app](https://github.com/apps/aiori-app).

1.2 Choose your installation scope:
You'll see a page asking 'Where do you want to install Aiori?' You have two options:
- Install on all repositories (easier, but gives Aiori access to everything)
- Install on selected repositories (more secure, recommended to start)

Recommendation: Start with 'selected repositories' and choose 1-2 repositories you want to test with. You can add more later.

1.3 Select your repositories:
Click the dropdown and select the repositories you want Aiori to monitor. For your first time, choose:
- A non-critical repository (not your production monolith)
- A repository with good test coverage (so you can verify Aiori's changes work)
- A repository with some outdated dependencies (so you can see Aiori in action)

1.4 Click 'Install':
GitHub will ask you to confirm. Click 'Install' and wait for the redirect back to Aiori.

Done! Aiori now has access to your selected repositories. Time elapsed: ~1 minute.

Step 2: Initial Repository Scan (Automatic, 1-2 minutes)

After installation, Aiori automatically scans your repositories. You don't need to do anything—this happens in the background.

What Aiori is doing:
- Cloning your repository
- Reading your package.json, requirements.txt, and lock files
- Checking each dependency against:
 - Latest available versions
 - Known CVEs (security vulnerabilities)
 - Breaking change history
- Analyzing your code to understand how you use each dependency
- Prioritizing issues by severity and risk

How to watch progress:
Go to the Aiori dashboard (you'll be redirected there after installation, or visit [dashboard.aiori.ai](https://aiori.ai/dashboard)). You'll see:
- Repository scan status (scanning/complete)
- Number of dependencies checked
- Number of issues found
- Recommended updates

The scan typically takes 1-2 minutes for a small-to-medium repository (~50 dependencies). Larger repositories may take 3-5 minutes.

Time elapsed: ~3 minutes total.

Step 3: Review Your First AI-Generated PR (1-2 minutes)

Once the scan completes, Aiori will create pull requests for the highest-priority issues. Let's walk through reviewing one.

3.1 Go to your GitHub repository
Click 'Pull Requests' in your repository. You should see one or more PRs from Aiori with titles like:
- 'Security fix: Update lodash to 4.17.21 (fixes CVE-2024-XXXXX)'
- 'Update axios to v1.6.0 and fix breaking changes'
- 'Patch updates: 5 dependencies with no breaking changes'

3.2 Open a PR and review the description
Aiori's PR descriptions include:
- What changed: Which dependencies were updated and to what versions
- Why: Security fix, feature update, or maintenance
- Breaking changes: What APIs changed and how Aiori fixed them in your code
- Test results: Whether your test suite passed with the changes
- Files changed: List of modified files with explanations

Example PR description:

## Security Fix: Update axios to v1.6.0

**CVE Fixed:** CVE-2024-12345 (SSRF vulnerability, CVSS 7.5)

**Changes:**
- Updated axios from 0.27.2 to 1.6.0
- Fixed error handling in 12 files to use new error structure
- Updated type definitions in api.ts

**Breaking Changes Handled:**
- Error responses now use axios.isAxiosError() guard
- Error.response structure changed (updated in all catch blocks)

**Test Results:** ✅ All 47 tests passed

**Files Changed:**
- package.json (version bump)
- src/api/*.ts (12 files, error handling updates)

3.3 Review the code changes
Click the 'Files changed' tab. Look at what Aiori modified:
- Version bumps in package.json are obvious
- Code changes should make sense (if they don't, that's worth flagging)
- Check if any critical files were changed unexpectedly

3.4 Check test results
Aiori runs your test suite automatically. Look for the green checkmark from your CI system (GitHub Actions, CircleCI, etc.). If tests fail, Aiori will note that in the PR description and may have attempted additional fixes.

3.5 Merge the PR
If everything looks good:
- Click 'Merge pull request'
- Choose 'Squash and merge' (recommended, keeps history clean)
- Delete the branch after merging

Done! Your first automated dependency update is live. Time elapsed: ~5 minutes total.

Step 4: Configure Your Preferences (Optional, 2 minutes)

By default, Aiori is conservative: it creates PRs for you to review, but doesn't auto-merge anything. You can customize this behavior.

Go to Aiori Settings:
From the Aiori dashboard, click 'Settings' for your repository.

Configure update preferences:

Auto-merge patch updates:
- Enable: ✅ Recommended
- What it does: Automatically merges updates like 1.2.3 → 1.2.4 (no breaking changes)
- Requires: Test suite must pass

Auto-merge minor updates:
- Enable: ⚠️ Use with caution
- What it does: Automatically merges updates like 1.2.0 → 1.3.0 (new features, should be backward compatible)
- Requires: Test suite must pass AND high confidence score from Aiori

Require review for major updates:
- Enable: ✅ Always recommended
- What it does: Never auto-merge major version changes (1.x → 2.x). Always creates a PR for human review.

Notification preferences:
- Slack notifications: Add your Slack webhook to get notified when PRs are created
- Email digest: Daily/weekly summary of dependency updates

Recommended settings for most teams:
- Auto-merge patch updates: ✅
- Auto-merge minor updates: ❌ (too risky for most teams)
- Require review for major updates: ✅
- Run test suite before merging: ✅
- Slack notifications: ✅

Save your settings. Aiori will now follow these rules for all future updates.

What Happens Next: Continuous Monitoring

Congratulations! You've set up automated dependency maintenance. Here's what happens from now on:

Daily (automated):
- Aiori scans your dependencies for new updates and CVEs
- If issues are found, Aiori creates PRs with fixes
- If you enabled auto-merge for patch updates, low-risk updates merge automatically after tests pass

Weekly (automated):
- Aiori sends you a digest email summarizing all activity:
 - Dependencies updated
 - Security vulnerabilities fixed
 - PRs waiting for review
 - Recommendations for major updates

When a CVE is disclosed (automated):
- Aiori detects the CVE within minutes
- Creates an urgent PR with the security fix
- Notifies you via Slack/email
- If configured, auto-merges after tests pass (for critical security updates)

When a major framework update is released:
- Aiori analyzes the breaking changes
- Creates a PR with all necessary code fixes
- Tags it for human review
- Provides a detailed migration guide in the PR description

You don't need to do anything proactive. Aiori handles the monitoring, scanning, fixing, and PR creation. You just review and merge (or let it auto-merge based on your settings).

Troubleshooting Common Issues

Issue: 'Aiori created a PR, but tests are failing'
This means Aiori attempted to fix breaking changes but didn't fully succeed. This is rare but can happen with complex codebases.

Solution:
1. Check the test failure logs in the PR
2. Aiori usually leaves a comment explaining what it couldn't fix
3. You can either:
 - Fix the remaining issues manually (Aiori got you 90% there)
 - Close the PR and update manually
 - Ask Aiori to retry (comment '@aiori retry' in the PR)

Issue: 'Aiori created multiple PRs for the same dependency'
This can happen if a dependency has multiple updates in quick succession (e.g., a security patch right after a feature release).

Solution:
1. Merge the most recent PR (Aiori always creates PRs for the latest version)
2. Close the older PR as obsolete
3. Aiori will automatically detect that the dependency is now up-to-date

Issue: 'I want Aiori to ignore a specific dependency'
Sometimes you want to pin a dependency at a specific version (e.g., because you're on a custom fork).

Solution:
Add a `.aiori.json` file to your repository root:

{
  "ignore": [
    "some-package",
    "another-package@^1.0.0"
  ]
}


Aiori will skip these dependencies in future scans.

Issue: 'Aiori isn't creating PRs'
If Aiori has scanned your repository but hasn't created any PRs, it might mean all your dependencies are already up-to-date!

Solution:
1. Check the Aiori dashboard to see the scan results
2. Look for any ignored issues or warnings
3. If you're sure there should be updates, try triggering a manual scan (button in the dashboard)

Next Steps: Expand and Automate Further

Now that you've set up Aiori on one repository, consider:

1. Enable Aiori on more repositories
Go to your GitHub Aiori app settings and add more repositories. The more repos you add, the more time you save.

2. Enable auto-merge for patch updates
If you have good test coverage, let Aiori auto-merge patch updates (1.2.3 → 1.2.4). This eliminates even the review step for low-risk updates.

3. Set up Slack notifications
Get notified when Aiori creates PRs so you can review them quickly. Faster reviews = more up-to-date dependencies.

4. Integrate with your CI/CD pipeline
Configure your CI system to deploy automatically after Aiori PRs merge (if tests pass). Now your dependencies update AND deploy without human intervention.

5. Review Aiori's recommendations
The Aiori dashboard shows recommendations for major updates that require more planning. Schedule time each quarter to tackle these.

That's it! You've set up automated dependency management in 5 minutes. Your code is now continuously maintained, security vulnerabilities are fixed automatically, and you can focus on building features instead of babysitting dependencies.

Questions? Issues? Feature requests? Reach out at [hello@aiori.ai](mailto:hello@aiori.ai) or open an issue on [GitHub](https://github.com/aiori-app/aiori).

Ready to automate your dependency updates?

Try Aiori and see how AI-powered dependency management can save you hours every week.

Connect GitHub
← Back to all posts