21 comments

[ 1.7 ms ] story [ 29.0 ms ] thread
OP here. Would love any feedback on Dependabot - been building it for the last 6 months and did an interview with Indie Hackers on it over at https://www.indiehackers.com/businesses/dependabot.
Where did you get your template? Really like it.
All our own work! But you’re very welcome to steal. Our talented friend, Sam Willis, did the design.
GitHub, Codacy and others only detect out of date dependencies - very cool how you go the extra step and make a PR. Congratulations and best wishes to you.
Thanks! We wanted to make it as easy as possible, rather than just nagging. There’s actually quite a lot of work involved in generating the updates (assessing resolvability and generating lock files is harder than it sounds), but we think it’s worth it.
Any future plans to integrate with Gitlab and/or other Git hosting services?
Yes! We’ve already had quite a few GitLab requests, so they’re the next provider we’ll target.
Oh this is quite clever, we always tend to forget to update the dependencies…
I’ve been trying this out since the IndieHackers interview. Really great product. Thank you for keeping the free plan open for personal private repos.
Great to hear! I promise we’ll always keep it free for personal private repos - it makes a tonne of sense from our perspective, as we want to build a product people use and advocate.
Great project.

OT but Kudos on linking the "Trusted by" icons (though it's only gov.uk that points to something that is actually using it). These Trusted by Microsoft, Slack, Techcrunch, etc icons are ubiquitous on every site and project but nobody ever links to it for details/proof. I wish more people would do this instead of just making a huge collage of brand icons.

Thanks for the feedback. I’ll link up the Wire and ODI ones now too - they’re both really heavily open source so we can show what we do for them.

And yes - totally agree!

We (Pixie Labs) have been using Dependabot for a month or two now. Here four reasons why, as a small team with a bunch of codebases to look after, we <3 them:

1. Their pre-sales support was great and they went out of their way to accommodate our requirements. 2. You can get ongoing support from them by @ing the bot in a PR (and they reply inline!). 3. It drip-feeds you updates (5 a day), so a really old project is still manageable. 4. The PR message contains links to release notes, changelog, and actual commits, for the library in question. This is such a time save (and reveals how many OSS projects don't have decent changelogs).

What does this provide that others (Gemnasium, greenkeeper) do not?
Thanks for taking a look!

The biggest difference to Gemnasium is that we’ll creat the update PRs for you automatically. The biggest difference to Greenkeeper is that we handle lockfiles out of the box and give you compatibility scores for each update. We love both services, though!

Does it support Pipfile? I'd happily switch from pyup.io or requires.io if it does.

Edit: ooh, I see its oss and this search indicates Pipfile support is likely: https://github.com/dependabot/dependabot-core/search?utf8=%E...

Yes! We just added (beta) support for Pipenv!
Awesome! You should add that, along with what looks like cleaner yarn.lock support than greenkeeper has, to your landing page under some sort of features section since this isn't the first product in this space and people will be looking for differentiating features :)
Oh, I like this! Had so much troubles at my previous job with getting the updates, is there something new, then one dependency breaks other one....such a mess. Great job folks!