
Show HN: Dependabot – Automated Dependency Update PRs for Ruby, JS, Python and PHP - greysteil
https://dependabot.com
======
superasn
Great project.

OT but Kudos on linking the "Trusted by" icons (though it's only gov.uk that
points to something that is actually using it). These Trusted by Microsoft,
Slack, Techcrunch, etc icons are ubiquitous on every site and project but
nobody ever links to it for details/proof. I wish more people would do this
instead of just making a huge collage of brand icons.

~~~
greysteil
Thanks for the feedback. I’ll link up the Wire and ODI ones now too - they’re
both really heavily open source so we can show what we do for them.

And yes - totally agree!

------
jalada
We (Pixie Labs) have been using Dependabot for a month or two now. Here four
reasons why, as a small team with a bunch of codebases to look after, we <3
them:

1\. Their pre-sales support was great and they went out of their way to
accommodate our requirements. 2\. You can get ongoing support from them by
@ing the bot in a PR (and they reply inline!). 3\. It drip-feeds you updates
(5 a day), so a really old project is still manageable. 4\. The PR message
contains links to release notes, changelog, and actual commits, for the
library in question. This is such a time save (and reveals how many OSS
projects don't have decent changelogs).

------
greysteil
OP here. Would love any feedback on Dependabot - been building it for the last
6 months and did an interview with Indie Hackers on it over at
[https://www.indiehackers.com/businesses/dependabot](https://www.indiehackers.com/businesses/dependabot).

~~~
grajaganDev
GitHub, Codacy and others only detect out of date dependencies - very cool how
you go the extra step and make a PR. Congratulations and best wishes to you.

~~~
greysteil
Thanks! We wanted to make it as easy as possible, rather than just nagging.
There’s actually quite a lot of work involved in generating the updates
(assessing resolvability and generating lock files is harder than it sounds),
but we think it’s worth it.

------
dschep
Does it support Pipfile? I'd happily switch from pyup.io or requires.io if it
does.

Edit: ooh, I see its oss and this search indicates Pipfile support is likely:
[https://github.com/dependabot/dependabot-
core/search?utf8=%E...](https://github.com/dependabot/dependabot-
core/search?utf8=%E2%9C%93&q=pipfile&type=)

~~~
greysteil
Yes! We just added (beta) support for Pipenv!

~~~
dschep
Awesome! You should add that, along with what looks like cleaner yarn.lock
support than greenkeeper has, to your landing page under some sort of features
section since this isn't the first product in this space and people will be
looking for differentiating features :)

------
Dirlewanger
What does this provide that others (Gemnasium, greenkeeper) do not?

~~~
greysteil
Thanks for taking a look!

The biggest difference to Gemnasium is that we’ll creat the update PRs for you
automatically. The biggest difference to Greenkeeper is that we handle
lockfiles out of the box and give you compatibility scores for each update. We
love both services, though!

------
aennyta
Oh, I like this! Had so much troubles at my previous job with getting the
updates, is there something new, then one dependency breaks other one....such
a mess. Great job folks!

------
nickromano
I’ve been trying this out since the IndieHackers interview. Really great
product. Thank you for keeping the free plan open for personal private repos.

~~~
greysteil
Great to hear! I promise we’ll always keep it free for personal private repos
- it makes a tonne of sense from our perspective, as we want to build a
product people use and advocate.

------
mnapoli
Oh this is quite clever, we always tend to forget to update the dependencies…

------
megamindbrian2
That makes 2, greenkeeper.io

