Gemnasium are being acquired by GitLab. Here's what that means for everyone else


Gemnasium has been acquired by GitLab and is shutting down its GitHub service in May. Their blog post is candid about why: GitHub's dependency graph and security alerts work has undermined their value proposition.

For the Gemnasium team we hope it's a great result. You deserve it. Over the years you've built a fantastic product that has driven dependency management forwards. Without your efforts, software everywhere would be buggier and less secure. There's no way GitHub would have built their dependency graph and security alert features without you. GitLab are getting a great team, and we can't wait to see what you guys do next.

For Gemnasium's GitHub customers, the announcement is no doubt less positive, since the service will shut down in May. If you don't want to switch to GitLab then we'd love you to try Dependabot. Rather than provide you with a dashboard, we create dependency update pull requests for you automatically. We hope you'll love our service as much as you loved Gemnasium.

Finally, for us, Gemnasium's blog post is a warning of what can happen to businesses in a platform ecosystem. We believe Dependabot adds a lot of value over GitHub's dependency graph, and over Gemnasium, but if GitHub were to replicate our functionality they would likely crush us. We don't believe that's in their interest, but are staying as close to them as possible.

We hope that Dependabot will continue to thrive in a healthy GitHub ecosystem. If it doesn't then it will be because, like Gemnasium, we proved our worth so persuasively that we get copied by the bigger guys. The good news for our customers is that they will win either way.

Dependabot helps keep your dependencies up-to-date. It's free for personal accounts and open source, and always will be.

Find out moreTake me to the app