
Dependabot is joining GitHub - reqres
https://dependabot.com/blog/hello-github/
======
the_duke
Edit: copy/pasting my more extensive comment from the Sponsors thread.

All the recent additions to Github are superficially very nice and convenient
features (Actions, package registry, Sponsors, Dependabot).

But they represent a very significant change in mindset. Github is turning
from a neutral code hosting platform with a myriad of equally empowered third
party integrations into the direction of a "all in one" dev tool and platform.

I understand the internal pressures to do this: increased popularity, added
value proposition for customers, more revenue.

But: all the built-in tools will have an inherent advantage over third party
solutions. This inevitably leads to increased lock-in and homogenization.

I was very critical of the Microsoft acquisition for similar reasons, and
considering the monumental role Github represents for open source today, I am
very sceptical of the way things are going.

We might very well regret centralizing everything open source around Github in
a few years.

~~~
hanniabu
> But: all the built-in tools will have an inherent advantage over third party
> solutions. This inevitably leads to increased lock-in and homogenization.

There's no lock-in, you can continue whatever integrations or pipeline you
have now. This just gives an easier option. Them offering Github Pages isn't
lock-in to their hosting, but it offers convenience in various scenerios.

~~~
lasagnaphil
If you view Github as just a Git (and occasionally static site) hosting
service, then there's not lock-in whatsover; you can always move to somewhere
like Gitlab or host your own. But the point is: Github isn't just a Git
website anymore; it creates a community around it. Right now the reason why
people aren't easily moving out of Github is because by moving to somewhere
else, they have to risk getting less views, less recognition, and less pull
requests for their libraries. Also, if you were a Sponsor in Github and
earning $30000 a month and then had disagreements with Github's policies and
want to get out, you now have to risk shaving off all your sponsors to switch
to a different service like Liberapay. Maybe some of your passionate existing
patrons will go towards the extra effort to switch alongside you, but the
reality is: most won't.

There were lots of promises and hopes for the patron economy (or I would
extend this to call it a "distributed economy"), where people can directly
give money as reward for their work while avoiding the traditional
hierarchical structure of corporations. However, because of the nature of the
current society we live in, the ideal version of this economy would never come
to fruition. Think of examples such as Patreon, Youtube, and recently Github;
they're an enabler for diverse communities, rich subcultures, and innovative
ideas, but the users still have to live under the guise of huge capitalistic
forces. It seems that the distributed economy still has to live under the
current technocratic system (where huge tech corporations have much higher
leverage than small companies or non-profit organizations). To see this
relationship between users and corporations as either symbiotic or
exploitative is up to your choice, but I think the status-quo will stay for
quite some time.

~~~
Kalium
If you were a Sponsor in Liberapay and earning $30000 a month and then had
disagreements with Liberapay's policies and want to get out, you now have to
risk shaving off all your sponsors to switch to a different service like
GitHub. Maybe some of your passionate existing patrons will go towards the
extra effort to switch alongside you, but the reality is: most won't.

This isn't an argument against GitHub or LiberaPay. This is an argument
against being locked in to _any_ financial intermediary.

~~~
SifJar
Possibly a slight difference though in that GitHub isn't _just_ a financial
intermediary; with all the other functionality on offer, it may be a lot
easier to find something to disagree with/dislike

------
threeseed
Curious about the side effects of this.

Imagine you had an open source project that was just something on the side or
you worked on in a different life. And then you see pull requests for updates
and decide to fix a bug here or there. And then maybe it prompts you to
recommit to it.

If that were to apply to even a tiny percentage across all of Github could
have major implications for open source as a whole.

~~~
Already__Taken
This is absolutely a thing. I've ignored something until heroku let me know
it's on such an old platform version, it'll keep running but not restart. So
I've given it an update recently.

~~~
Fogest
I gave one of my projects a bit of an update after someone mentioned a part of
it was no longer working. I enjoy those kinds of reminders as it reminds me
some people still use it.

------
ValCanBuild
Massive congrats to the team! Well deserved, Dependabot is an awesome tool!

~~~
hcm
Thanks! We have plans to make it even more awesome from within GitHub :-)

------
ralphstodomingo
Microsoft really is growing GitHub. I can't say I'm not pleasantly surprised.

~~~
omeid2
The bush in my backyard is growing too, similar to the PHP API surface circa
PHP5, not every growth is a good thing. I am very cautious of what is to
become of Github in a couple of years.

------
rvanmil
Did GitHub just activate this without confirmation or notification? I'm
suddenly receiving PR's on my repo's from dependabot without ever activating
this tool.

Edit: looks like they defaulted to enable "Automated security fixes" on the
Security > Alerts tab.

------
coreyja
Congrats to the Dependabot team!

I've had the pleasure of reaching out to Dependabot a few times when I've had
issues or problems and you guys have always been super responsive and quick to
fix any bugs!

Congrats again on joining Github! And excited to see whats next for
Dependabot!

------
craze3
Congrats guys! For anyone interested, here's an interview on how Dependabot
started: [https://www.indiehackers.com/interview/living-off-our-
saving...](https://www.indiehackers.com/interview/living-off-our-savings-and-
growing-our-saas-to-740-mo-696f9b110f)

------
muhgarvey
Congratulations! We're very happy with our Dependabot use and hope it helps
the community

------
floor_
Anyone else remember that whitespace bot that spammed everyone's repos? Last
thing we need are more bots clogging our code shitters.

------
illnewsthat
Can anyone recommend a tool similar to Dependabot that works with bitbucket?

------
jhuckestein
Massive congrats to the team - what a great and well deserved outcome :)

------
dm7
congrats!

------
jeffshek
Huge congrats to Dependabot team! If you're starting a new project in Python
(+ others), having Dependabot + CircleCI (or something equivalent) + Strong
test coverage will save you hundreds of hours (eventually).

Best trick is to make sure your test coverage is strong early (I know this is
easier said than done ...), then you can just merge updated requirements
without ever worrying.

GitHub has a type of service that would check requirements already, it just
never felt as polished as Dependabot. But it goes to show how far a committed
team can prioritize over bigger players. IIRC, they still use Heroku, which
seems like a lot of discipline in prioritizing the right product features over
just building tech stacks in BigCloudProviders.

~~~
hcm
Thanks!

------
stephenson
That makes so much sense! A more secure open source world, a better product
for our close projects and two amazing tools merging. Love it!

Dependabot, you did well, build a fantastic tool, now join the rocketship and
kick ass!

~~~
craftyguy
> A more secure open source world

A world built on proprietary services is not an open source world.

