How dependabot works
72 points
by zdw
6 days ago
| 5 comments
| nesbitt.io
| HN
esafak
1 day ago
[-]
Dependabot has a free quota to get you hooked, but renovate is the better product. So I consider reflecting on how dependabot works a bit of a waste. I started with the former and gradually migrated to the latter. I particularly like the regex handler; you can track pretty much anything.
reply
rtpg
21 hours ago
[-]
We have also worked via Renovate recently and are enjoying it. The dashboard is particularly nice for onboarding repos with lots of old deps (checkmark -> make a PR is a nice flow that semi-automates things).

Dependabot integrates decently well with Github of course but so far renovate has worked well for us.

reply
rmunn
1 day ago
[-]
Had not come across renovate before; thanks for the tip. I see on https://www.mend.io/renovate/ that they have a "Community" edition that includes both cloud and self-hosting, but the cloud hosting is free. Should I be concerned that their loss-leader offering is expensive and will drag the company down, or is their cloud resource usage for the Community edition so lightweight that it's costing them almost nothing in server costs?

Second question: could you expand a little bit on why you like renovate better than dependabot? I can see how the regex handler could be useful for a lot of custom scenarios, but what else makes you say that renovate is the better product?

reply
jamietanna
20 hours ago
[-]
Renovate maintainer and Community manager here

Before I joined Mend to work on Renovate, I wrote https://news.ycombinator.com/item?id=40011111 which goes into some ways I found Renovate better than Dependabot, and it still very much holds true (although I'm a little more biased now!)

You can also check out https://docs.renovatebot.com/bot-comparison/ for a high level comparison between the two

Re costs / why giving things away for free - @rarkins (Rhys Arkins, who created Renovate) has worked very hard over the years to give as much good stuff away to the community, and make it more straightforward for folks to run Renovate

The core (Mend Renovate CLI (AGPL-3.0-only)) is free to use and run as you want, and many folks do - it's very flexible and scales well as-is

But if you want things like real-time webhook processing of "rebase this PR" (and/or a few other features) then Mend Renovate Self-Hosted Community (commercial-but-free) Edition is a nice packaging and layer on top of the CLI for that

Running the CLI itself on a schedule against your repos is also absolutely viable as a solution, and we have many users who do that and are super happy with it

reply
baby_souffle
1 day ago
[-]
> or is their cloud resource usage for the Community edition so lightweight that it's costing them almost nothing in server costs?

The bigger concern is that you're effectively letting them (shallow) clone your repo. I prefer to self-host but that's not anywhere near as quick/easy as clicking the "integrate with GitHub" button.

> Second question: could you expand a little bit on why you like renovate better than dependabot?

They both do the same thing in about the same way... Dependabot is meant to be run at _massive_ scale across all of github so it has good support for the basic / common places people pin versions. It is quite slow to get support for newer conventions that are not ubiquitous across all of github. Easy example: k8s manifests where you might have "use $thisVersion of HelmChart" buried somewhere in yaml instead of in a clear-cut place like `requirements.txt`

Renovate has optional web UI and can be integrated with GitHub as an "app" for some interactive features but that's not worth the setup for small scale.

Renovate is _much_ more robust / the number of $things that it can detect and is a lot more extensible; as mentioned elsewhere in this thread, the regex feature is delightful. It's a pain to debug, but once you grock it / figure out how the custom regex stuff works, it's really nice.

I have more than a few scripts where the only versioned dependency is embedded in some URL:

``` wget http://github.com/some-repo/releases/v1.2.3/the-tool.tar.gz ```

And after a bit of regex work, renovate now knows to check that repos release page for updated versions and when it finds one, it updates the URL and pings me with a PR.

reply
esafak
1 day ago
[-]
I self-host their community edition. It does not feel heavy.

I particularly like its ability to synchronize updates to packages across ecosystems. You can sync a tool's version in Docker, mise, and GHA, for example. You can run arbitrary post-upgrade tasks.

reply
tasuki
20 hours ago
[-]
> Dependabot has a free quota to get you hooked

Hooked? I always look how to turn it off. I never once found it useful.

reply
JimDabell
21 hours ago
[-]
Is Dependabot actively maintained? I thought they announced a freeze on new features a while back, and their uv support never worked properly and has serious known security problems:

> There's an issue where security alerts for uv projects are not working correctly. Specifically, the uv.lock file is not being updated when security alerts are triggered.

https://github.com/dependabot/dependabot-core/issues/10478#i...

reply
WorldMaker
9 hours ago
[-]
It seems like there's recently been a lot of work to better align Dependabot with the rest of GitHub Advanced Security. I've just started seeing Dependabot alerts showing up in the Security Tab instead of directly to PRs, moving the "make a PR" to a button inside the alert, but also more buttons now to ignore the alert. The alert is also better about showing the root dependency that brought in the alerted dependency. Overall, this seems an improvement over spamming PRs that I may not care about, though yes the PRs when you do click the "Create PR" button are just as anemic and specific to the low-level dependency as they always were, for now. I'm surprised there's not yet a "Start Copilot PR" version of that same button, but I'm guessing that's also what they've been working on over other features to the existing PR tool.
reply
lucideer
21 hours ago
[-]
Yeah pretty sure it's abandonware.

I was expecting it to be replaced once they announced they were integrating Endor Labs into their GitHub Advanced Security enterprise offerings but all the news I've heard since that announcement has been focused on merging into Microsoft & AI-related layoffs so I presume someone just forgot to turn the Dependabot light off as they were leaving.

reply
Timwi
18 hours ago
[-]
My only experience with dependabot has been that GitHub spammed me with notifications from it. Now don't get me wrong, if I have a project with an outdated version of jQuery that has security vulnerabilities, it's useful to know about it. But it kept notifying me even after I committed a change to delete that jQuery file because the project no longer needed it. I couldn't find an easy way to get it to shut up about it.
reply
dimitrisnl
21 hours ago
[-]
I hate it with passion. It won't respect pinned versions in package.json. I have to explicitly exclude stuff. Be better.
reply
worksonmine
14 hours ago
[-]
Could you elaborate a little? Are you saying it should ignore vulnerable packages simply because you pinned it to a specific version? Or does it warn even if your specific version isn't vulnerable?
reply
JackSlateur
15 hours ago
[-]
tldr: a github action with a cron schedule that runs whatever code is required to update whatever you have, and then push the diff (if any) in a branch and create a PR (if needed)

We are using something heavily derived from https://github.com/romoh/dependencies-autoupdate

reply