Today, we’re launching Dependabot — a dependable robot who’ll keep your dependencies up-to-date for you. Here’s how it works.

Dependa-what?

Dependabot is a GitHub app that automates dependency updates.

Every day, Dependabot pulls down your dependency files and looks for any outdated requirements. If any of your dependencies are out-of-date, Dependabot opens individual pull requests to bump each one. All you need to do is check your tests pass, scan the included changelog and release notes, and make a call on hitting merge or skipping the new version.

Currently Dependabot supports Ruby and Javascript (Yarn), with support for PHP and npm5 coming very soon.

Dependa-why?

We’ve blogged in detail about why you should keep your dependencies up-to-date, including analysing 10 years of Rubysec vulnerability data. The TL;DR is:

• Staying up-to-date is the most secure strategy
• Making incremental changes beats have big-bang updates

There are other apps out there that can help you with the above, but Dependabot is the only one that supports multiple languages and has an open-source core.

Dependa-ok-this-looks-awesome-how-do-I-sign-up?

Just click on one of the links below. The app is totally free for the first month if you sign up before June 14th 2017.