First of all, thanks for Discourse and thanks for making it open source .
I’ve got a suggestion / request: would you be up for using Dependabot to automatically create dependency update PRs? I built it and would love to have Discourse using it because it would be great for Dependabot’s profile, but I wouldn’t suggest it (or have created it) if I didn’t think it would be genuinely useful.
Basically, it’s a bot that creates dependency update pull requests for Ruby, JS, and a bunch of other languages. It pulls in security vulnerability alert data, changelogs and release notes in order to make the PRs as easy to review as possible - you can see an example of a PR that I ported across from my fork here.
The are two options for using it. In both cases you get a separate PR for each dependency update (the PRs will automatically rebase themselves if they get conflicts, etc.):
- Security updates only, where it only creates PRs if/when one of your dependencies has a security vulnerability (like the Nokogiri PR I created this morning). Judging on the last month or so you should expect about 1 PR a month in this case.
- Update all dependencies, so you receive a PR whenever there’s an update to one of your top-level dependencies (i.e., the ones in your Gemfile and/or package.json). This is how most people use Dependabot, and you should expect 2-3 PRs a week on a repo like Discourse, most of which will be patch updates
The bot is used by a few thousand organisations, including GitHub themselves on some of their open source repos. It’s been reviewed by the GitHub Security team in order to be accepted into the GitHub Marketplace, and the source code is available in the dependabot/dependabot-core repo. Finally, I’m full time on it and a maintainer of Bundler, so I can promise it will keep getting better. It’s already had 18 months of full time work put into it, so it’s pretty solid.
What do you reckon? Any concerns or questions I can answer? It goes without saying that it’s free for open source and always will be.