GitHub acquires Dependabot

twitter logo github logo ・1 min read

It was recently announced that GitHub has acquired Dependabot. This is the latest in a string of big announcements, product news, and acquisitions from GitHub.

Via the announcement post:

Here's what you need to know:

  • We're integrating Dependabot directly into GitHub, starting with security fix PRs 👮‍♂️
  • You can still install Dependabot from the GitHub Marketplace whilst we integrate it into GitHub, but it's now free of charge 🎁
  • We've doubled the size of Dependabot's team; expect lots of great improvements over the coming months 👩‍💻👨‍💻👩‍💻👨‍💻👩‍💻👨‍💻 Source

What are your reactions to this news?

twitter logo DISCUSS (13)
markdown guide
 

This is awesome for developers short term because having this fully integrated will be really nice.

Longterm, it centralizes more power to Microsoft and weakens the ecosystem/platform concept a bit. I think it's always important to root for alternative options to remain relevant.

 

One thing about the centralization is that Dependabots core functionality is open source! And the blog post about the aquisition said it was the plan to keep it that way!

I hope this open core model might help fight some of this centralization by giving motivated individuals the ability to host their own alternative version

 
 

Agree, actually I haven't used or even heard of Dependabot until now but I've always added snyk.io to my Node.js projects. Will likely stick with them unless there's major benefits to GitHub's offering.

 

Agreed. Renovate is fantastic though and will give GH a run for their money.

 

I forgot! The creator of Dependabot has contributed code to dev.to.

Bump nokogiri from 1.8.3 to 1.8.4 #297

greysteil avatar
greysteil commented on Aug 09, 2018

Bumps nokogiri from 1.8.3 to 1.8.4.

Changelog

Sourced from nokogiri's changelog.

1.8.4 / 2018-07-03

Bug fixes

  • [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771]
Commits

Dependabot compatibility score

I generated this by using Dependabot, a tool I built, on my fork. Would love to get you using it - it's totally free for open source and always will be. Hopefully it can save you a bunch of time, but having more repos use it that have great test suites also helps keep the compatibility score numbers super robust, so is good for everyone.

And that's how we got Dependabot integrated into our project. We've been longtime users.

 

Should be valuable for teams with little time to do this themselves, and encourages good testing hygiene, so you can actually accept all the PRs coming your way from the bot :)

There are other options of course: Snyk (as mentioned elsewhere) and OWASP Dependency Check, both of which concentrate on matching package versions in use with know vulnerabilities, thereby focusing on security rather than keeping up with the latest major version.. YMMV.

 

This is awesome! I personally have been using Snyk which looks like does something very similar to Dependabot. Having security features like this built-in and for free are a plus.

 

I've said it a few times in the last few days since this announcement, but I couldn't be happier for the Dependabot team!

They make an amazing product and have always been amazingly helpful whenever I've had an issue. I've reached out a few times now just by mentioning them on one of my PRs, and EVERY time the founder has responded back to me very promptly and we've figures out the issue! Even as far as him shipping a code change within a few hours to fix an issue I was seeing!

Congrats on the aquisition guys, and can't wait for what's in the future!

 

Could somebody give me a 'for dummies' guide as to what Dependabot is and what it's benefits are? I'm seeing lots of positive things being said about it but am still a little unclear on what it is as it's my first time hearing the name.

 

From previous "Sponsor" post, it seems like GitHub's trying to make hard thing easy for devs by integrating'em into GitHub.

 

Is that the reason they are down? :)

Good Post tho.. now do remember who owns Github.

 

This actually a really good news! I loved Dependabot.

Classic DEV Post from Jun 6

What programming best practice do you disagree with?

Discussion about an unusual interview question

Peter Kim Frank profile image
Join dev.to

Better understand your code.