We've open-sourced Dependabot Core, the core logic behind Dependabot. Full details are in the project's readme.
Dependabot Core is a collection of helper classes for automating dependency updating. Some of that's trivial, but other bits are quite involved:
- Checking for the latest version of a dependency that's resolvable given a project's other dependencies. With Ruby or PHP (and in future Python) that means tapping into Bundler or Composer's dependency resolution logic
- Generating lockfiles for the updated dependency version. For update pull requests to be as useful as possible they need to be equivalent to doing the update locally, but for Dependabot to be fast, and not cost $$$ to host, it needs to avoid actually doing an install whilst generating the updated files
- Finding changelogs and release notes. This is done by looking for source code links in the the dependency's registry entry, and then scouring those links for details about the new release.
As the name suggests, Dependabot Core is pretty core to Dependabot - the rest of our app is pretty much just a UI and database. If we were paranoid about someone stealing our nascent business then we'd be keeping it under lock and key.
We're open-sourcing Dependabot Core because we're more interested in it having an impact than we are in making a buck from it. We'd love you to use Dependabot, so that we can continue to develop it, but if you want to build and host your own version this library should make doing so a lot easier.
If you use Dependabot Core we'd love to hear about what you build!