We've changed the way Dependabot updates insecure dependencies: we now generate a PR to update you to the minimal fixed version, rather than the latest version.
On March 26th malware was injected into bootstrap-sass, a popular Ruby gem. The attack was quickly spotted but it highlighted the same security issues as the recent eslint-scope and
event-stream incidents.
Last week a malicious alteration was discovered in event-stream, a widely
downloaded npm package. Full details are in the npm team's write
up, but the tl;dr is that a bad actor was added as a
maintainer of event-stream and inserted malware into a new release. The
malware was discovered three months later.
Happy Thanksgiving. Today, we're thankful for all the open-source maintainers.
Dependabot can now update both Yarn and npm transitive dependencies in response to security advisories for Node packages.
Good news for Gophers: Dependabot can now keep your go.mod and go.sum files
up to date ๐
GitHub announced the GitHub Security Advisory API today at GitHub Universe. Dependabot now uses it to pull in additional security vulnerability details, and to respond to new security advisories instantly.
We've been working hard to improve Dependabot's Gradle support, and are upgrading its status to "beta".
Dependabot can now update your elm.json if you're using Elm 0.19, and will
continue to update your elm-package.json if you're using Elm 0.18.
Dependabot now checks Sonatype's OSS Index when looking for vulnerable dependency versions. As a result, vulnerable Java and .NET dependencies will now recieve update PRs immediately, with details of the vulnerability being fixed.
Using Terraform to manage your infrastructure? Dependabot can now help keep your Terraform modules up-to-date.
Using Poetry as your package manager for Python? Dependabot can now help keep
your pyproject.toml and pyproject.lock up-to-date. ๐
Using Elm? Dependabot can now help you keep your elm-package.json file
up-to-date.
Using Go? If you're using dep for your dependency management then Dependabot
can now help you keep your Gopkg.toml and Gopkg.lock files up-to-date.
We've integrated Dependabot with GitHub's Security Alerts. Now when you receive a security alert from GitHub you can expect a PR from Dependabot that fixes it soon after.
Working on a JavaScript monorepo that uses Lerna? Dependabot will now update all your package.json files automatically.
You can now specify "working hours" for Dependabot's automerge functionality. ๐ค
Automerged updates must be enabled at the account level (from account settings in your dashboard) before they can be configured on a project.
Early this morning Dependabot's 100,000th pull request was merged. It was to a
private repo and updated the Ruby gem selenium-webdriver from 3.12.0 to
3.13.0.
๐ฏ๐๐ฏ๐๐ฏ๐๐ฏ๐๐ฏ๐
Using .NET? Dependabot can now help you keep the dependencies in your project files up-to-date.
We've improved Dependabot's version resolution logic. It can now keep you up-to-date with patch releases to older major versions.
If you use pip-tools to manage your Python dependencies, Dependabot will now
keep your requirements.in files up-to-date, too, and ensure your dependencies
are always compatible.
By default, Dependabot will now limit the number of open pull requests it has for any project/language combination to 10.
We released beta support for Rust back in March. Today, we're blessing it with full release status. ๐
Using Gradle? Dependabot can now help you keep the dependencies in your build.gradle files up-to-date.
Dependabot now checks custom Maven repositories specified in your pom.xml for
updates. You'll start seeing updates for dependencies from them automatically.
Dependabot can now help you keep multimodule Maven projects up-to-date.
Dependabot now supports private Elixir packages and organizations.
Dependabot now creates pull requests immediately in response to security advisories for Node packages. ๐ต๏ธโโ๏ธ
You can now set Dependabot to only create PRs in response to security advisories.
Dependabot now creates pull requests immediately in response to security advisories for Ruby, PHP and Rust (more languages coming soon). It can also automatically merge those PRs for you.
Using Rust? Dependabot can now help you keep your Cargo.toml and Cargo.lock files up-to-date.
Dependabot can now create pull requests for you the minute new dependency versions are released. โก๏ธ
We've overhauled Dependabot's pull requests to include changelogs, release notes and commit details. Here's an example.
We released beta support for Elixir back in January. Today, we're blessing it with full release status. ๐
Dependabot can now automatically merge patch-level updates for you.
Automerged updates must be enabled at the account level (from account settings in your dashboard) before they can be configured on a project.
When we added beta support for Elixir six weeks ago one of the things that was missing was support for umbrella applications. As of today, that's fixed.
Dependabot now signs its commits, so you can be sure they're from us.
We just shipped a new feature: an option to only receive lockfile-only updates. ๐
We released alpha support for Java (Maven) back in January. Today, we're upgrading support to beta, with a plan for the additional improvements we need to get Java to full release status. ๐
On February 6th, 2018, a GitHub user set support@dependabot.com as their
GitHub email address, which caused Dependabot's commits to appear to be attached
to their account. The issue is now resolved, cannot recur, and was only a
display bug.
Gemnasium has been acquired by GitLab and is shutting down its GitHub service in May. Their blog post is candid about why: GitHub's dependency graph and security alerts work has undermined their value proposition.
Using Elixir? Dependabot can now help you keep your dependencies up-to-date. ๐
We released beta support for PHP back in June last year. Today, we're blessing it with full release status. ๐
We love making Dependabot as delightful as possible - we think it makes the difference between a product people use and one they love.
Python devs: Dependabot can now help keep your Pipfile and Pipfile.lock
up-to-date. ๐
We released beta support for Python back in July. Today, we're blessing it with full release status. ๐
We've just made Dependabot much easier to use with JavaScript:
We released beta support for npm a month ago. Today, we're blessing it with full release status. ๐
Since launching Dependabot for Ruby six months ago, we've had a guilty secret: Dependabot couldn't handle the most difficult updates. Specifically, it couldn't hack updates where multiple dependencies needed to be updated at the same time.
Now it can.
It's been a month since Dependabot was added to the GitHub Marketplace. Time to crunch some numbers on the effect it's had.
Want to try Dependabot but need to see it in action first? You can now sign up for a free trial of Dependabot's paid plans. ๐
Using npm for your JavaScript dependencies? Dependabot can now help you keep
your package-lock.json up-to-date.
We released beta support for Dockerfiles two weeks ago. Today, we're blessing it with full release status. ๐
It's a really common problem: you contribute a fix or feature to a library but want to pull in your changes before the maintainer has cut a release. The solution is to use a git source specifying your commit, but it's easy to then forget about the git source in your Gemfile and fall behind on other updates.
We just shipped a handy new feature: you can now ask Dependabot to ignore a major or minor version of a dependency.
Using Git submodules in your project? Dependabot can now keep them up-to-date for you.
Dependabot is currently helping test the latest pre-release candidate of Bundler 1.16.0. If you see anything odd in any of the pull requests we generate, let us know.
Dependabot can now help you keep the sub-dependencies of your Ruby gems up-to-date.
A month ago we had a report of some strange behaviour from Dependabot: on some projects, we were creating a "Dependabot can't resolve your Ruby dependency files" issue, only to immediately close it. Hunting down that bug took me right to the core of Bundler's dependency resolution logic, and I spent three weeks working to improve it.
We've open-sourced Dependabot Core, the core logic behind Dependabot. Full details are in the project's readme.
Using Python? Dependabot now works with pip to automate keeping your dependencies up-to-date.
A month ago we wrote about our vision for dependency management. At the time, we wanted to Dependabot to achieve the following:
From today, Dependabot pull requests will include details the percentage of test suites that pass for the relevant update, in the form a compatibility badge:
We just shipped a handy little new feature: the ability to reduce the frequency of dependency updating from daily to weekly.
Using PHP? Dependabot now works with Composer to automate keeping your packages up-to-date.
Last week we launched Dependabot, a dependable robot whoโll keep your dependencies up-to-date forย you. We've got big plans for it.
Dependabot has pretty strong views on dependency management. If you use it, youโre signing up to keep your dependencies up-to-date all the time (although itโs easy to ignore versions you donโt want to use).
Want to keep your application as secure as possible? According to the last 10 years of Rubysec data, the most secure, actionable strategy is to keep your dependencies on the bleeding edge.
Today, weโre launching Dependabotโโโa dependable robot whoโll keep your dependencies up-to-date forย you. Hereโs how it works.