
Dependabot is now free - colinbartlett
https://nimbleindustries.io/2019/05/26/dependabot-is-now-free-and-its-amazing/
======
nullandvoid
For anyone wanting this functionality directly in the editor and is working
with npm / vs code i've found this extension to be great
[https://marketplace.visualstudio.com/items?itemName=pflanner...](https://marketplace.visualstudio.com/items?itemName=pflannery.vscode-
versionlens)

( no affiliation just a happy user )

------
detaro
recent (4 days ago) discussion of the aquisition:
[https://news.ycombinator.com/item?id=19989631](https://news.ycombinator.com/item?id=19989631)

------
Cogitri
I've been using Dependabot (for free) for my Rust projects for the last
months, it really is nice.

------
pbiggar
Excellent marketing! I checked out the author's product, Statusgator, and
signed up for a $30/mo plan. It aggregates statuspages of all the vendors we
use, and pings our slack channel. Super useful!

------
CraftThatBlock
What's the difference vs Greenkeeper?

~~~
colinbartlett
Greenkeeper seems to only support NPM, whereas Dependabot supports NPM,
RubyGems, a bunch of other languages.

~~~
CraftThatBlock
Ah I see, thank you!

------
derkoe
[https://renovatebot.com/](https://renovatebot.com/) is open source and
supports more dependency management systems

------
latchkey
> "Microsoft, the richest public company in the world"

Not even the top 15 [1], they are 16th.

[1] [https://www.forbes.com/global2000](https://www.forbes.com/global2000)

~~~
croon
I'm sure what they had heard was "highest valued" and drew some incorrect
assumptions regarding what that means. But according to your link, they're not
even highest there, beaten slightly by Apple.

------
kimat
[https://github.com/sanemat/tachikoma](https://github.com/sanemat/tachikoma)

------
matthewbauer
I don’t understand why we need these tools when we use semver? The semver
range should be flexible enough to handle the nonbreaking changes. You
definitely don’t want a bot updating breaking changes of dependencies
automatically, unless you like breaking things. That’s the kind of thing that
should require manual intervention for.

~~~
epage
As someone who has been using depenabot for my rust projects for about 6
months now, I appreciate having it attempt to upgrade past breaking changes.
Not all breaking changes break everyone. When they do break, I appreciate
knowing a new version is available for me to upgrade to so I don't fall
behind. Probably the riskiest case is behavior-breaking (rather than API) and
your tests don't happen to cover that case but dependabot helps by gathering
changelist info that I first review.

This is on top of the benefits of upgrading pinned-but-compatible versions
which someone else covered.

------
BubRoss
I wish we could do away with the clickbait nonsense headline editorializing.

~~~
Jedi72
Anyone who'll say something is amazing without saying what it is is trying to
game you.

~~~
tomcam
Your insight is amazing

------
Animats
_Setup and installation is simple: a quick sign up with GitHub OAuth was all
that was required, along with a grant to read and write code in our
repositories._

Why does it need permissions to read and write code? If it's a public
repository, anyone can read. It shouldn't be modifying code. At best it should
be submitting patch requests.

Giving Microsoft write permission on open source code is dangerous. They might
decide that they need to inject "telemetry". As they've done to non-Microsoft
applications on Windows.

~~~
ralph84
When it creates a PR it creates a branch which requires write. Maybe it could
offer the option to create a fork instead, but that would add awkwardness and
friction just to satisfy a very small set of overly paranoid users. If you
don't trust GitHub not to modify your code why are you using GitHub as a host
in the first place.

