Blog

Dependabot now supports Pipenv (in beta)!


Python devs: Dependabot can now help keep your Pipfile and Pipfile.lock up-to-date. 🎉

Read more...

Dependabot's Python support is out of beta


We released beta support for Python back in July. Today, we’re blessing it with full release status. 🎉

Read more...

Dependabot's JavaScript support just got even better


We’ve just made Dependabot much easier to use with JavaScript:

Read more...

Dependabot's npm support is out of beta


We released beta support for npm a month ago. Today, we’re blessing it with full release status. 🎉

Read more...

Handling thorny Ruby dependency updates


Since launching Dependabot for Ruby six months ago, we’ve had a guilty secret: Dependabot couldn’t handle the most difficult updates. Specifically, it couldn’t hack updates where multiple dependencies needed to be updated at the same time.

Read more...

The GitHub Marketplace effect on distribution


It’s been a month since Dependabot was added to the GitHub Marketplace. Time to crunch some numbers on the effect it’s had.

Read more...

Get a Dependabot free trial for your company


Want to try Dependabot but need to see it in action first? You can now sign up for a free trial of Dependabot’s paid plans. 🎉

Read more...

Announcing beta support for npm


Using npm for your JavaScript dependencies? Dependabot can now help you keep your package-lock.json up-to-date.

Read more...

Docker support is out of beta


We released beta support for Dockerfiles two weeks ago. Today, we’re blessing it with full release status. 🎉

Read more...

Announcing Docker support


Using Docker? Dependabot can now help you keep your base image up-to-date.

Read more...

Updating Ruby dependencies with a git source


It’s a really common problem: you contribute a fix or feature to a library but want to pull in your changes before the maintainer has cut a release. The solution is to use a git source specifying your commit, but it’s easy to then forget about the git source in your Gemfile and fall behind on other updates.

Read more...

Ignoring a major / minor version


We just shipped a handy new feature: you can now ask Dependabot to ignore a major or minor version of a dependency.

Read more...

Dependabot now supports Git submodules


Using Git submodules in your project? Dependabot can now keep them up-to-date for you.

Read more...

Helping test Bundler 1.16.0


Dependabot is currently helping test the latest pre-release candidate of Bundler 1.16.0. If you see anything odd in any of the pull requests we generate, let us know.

Read more...

Dependabot now supports Ruby libraries


Dependabot can now help you keep the sub-dependencies of your Ruby gems up-to-date.

Read more...

Fixing Bundler's dependency resolution algorithm and making it 2x faster


A month ago we had a report of some strange behaviour from Dependabot: on some projects, we were creating a “Dependabot can’t resolve your Ruby dependency files” issue, only to immediately close it. Hunting down that bug took me right to the core of Bundler’s dependency resolution logic, and I spent three weeks working to improve it.

Read more...

Dependabot's core logic is now open-source


We’ve open-sourced Dependabot Core, the core logic behind Dependabot. Full details are in the project’s readme.

Read more...

Dependabot now supports Python


Using Python? Dependabot now works with pip to automate keeping your dependencies up-to-date.

Read more...

Expanding our vision: automated refactors for major version updates


A month ago we wrote about our vision for dependency management. At the time, we wanted to Dependabot to achieve the following:

Read more...

Introducing Dependabot compatibility scores


From today, Dependabot pull requests will include details the percentage of test suites that pass for the relevant update, in the form a compatibility badge:

Read more...

Dependabot now supports PHP


Using PHP? Dependabot now works with Composer to automate keeping your packages up-to-date.

Read more...

Weekly bumping


We just shipped a handy little new feature: the ability to reduce the frequency of dependency updating from daily to weekly.

Read more...

A bigger vision for dependency management


Last week we launched Dependabot, a dependable robot who’ll keep your dependencies up-to-date for you. We’ve got big plans for it.

Read more...

Why bother keeping dependencies up-to-date?


Dependabot has pretty strong views on dependency management. If you use it, you’re signing up to keep your dependencies up-to-date all the time (although it’s easy to ignore versions you don’t want to use).

Read more...

Ten years of Rubysec data analysed to find the most secure dependency strategy


Want to keep your application as secure as possible? According to the last 10 years of Rubysec data, the most secure, actionable strategy is to keep your dependencies on the bleeding edge.

Read more...

Introducing Dependabot!


Today, we’re launching Dependabot — a dependable robot who’ll keep your dependencies up-to-date for you. Here’s how it works.

Read more...