Use Dependabot for dependency updates?

First of all, thanks for Discourse and thanks for making it open source .

I’ve got a suggestion / request: would you be up for using Dependabot to automatically create dependency update PRs? I built it and would love to have Discourse using it because it would be great for Dependabot’s profile, but I wouldn’t suggest it (or have created it) if I didn’t think it would be genuinely useful.

Basically, it’s a bot that creates dependency update pull requests for Ruby, JS, and a bunch of other languages. It pulls in security vulnerability alert data, changelogs and release notes in order to make the PRs as easy to review as possible - you can see an example of a PR that I ported across from my fork here.

The are two options for using it. In both cases you get a separate PR for each dependency update (the PRs will automatically rebase themselves if they get conflicts, etc.):

• Security updates only, where it only creates PRs if/when one of your dependencies has a security vulnerability (like the Nokogiri PR I created this morning). Judging on the last month or so you should expect about 1 PR a month in this case.
• Update all dependencies, so you receive a PR whenever there’s an update to one of your top-level dependencies (i.e., the ones in your Gemfile and/or package.json). This is how most people use Dependabot, and you should expect 2-3 PRs a week on a repo like Discourse, most of which will be patch updates

The bot is used by a few thousand organisations, including GitHub themselves on some of their open source repos. It’s been reviewed by the GitHub Security team in order to be accepted into the GitHub Marketplace, and the source code is available in the dependabot/dependabot-core repo. Finally, I’m full time on it and a maintainer of Bundler, so I can promise it will keep getting better. It’s already had 18 months of full time work put into it, so it’s pretty solid.

What do you reckon? Any concerns or questions I can answer? It goes without saying that it’s free for open source and always will be.

It there any way for Dependabot to create its branches in a fork, then make pull requests to the main repository? It would be nice if write permissions didn’t have to be granted to the app.

It there any way for Dependabot to create its branches in a fork, then make pull requests to the main repository? It would be nice if write permissions didn’t have to be granted to the app.

Frustratingly, there’s no easy way for me to get Dependabot to do that . I’m going to speak to GitHub about it next week when I’m in San Fran, but at the moment:

• GitHub App have to ask for the same permissions from all their installs
• As a result, if Dependabot wants to be able to write branches for private repos (because it would be odd to fork them) then it needs to ask for write permission from all its users
• That sucks and it’s obvious how it could be improved, but it’s out of my control
• The only workaround from Dependabot’s side would be to create an entire separate app, like Dependabot-Fork, that used different permissions, but I think the scope for complexity and confusion there is too high

I’m really frustrated about the above, because I can totally see how a “fork and PR” flow would be more intuitive for open source projects, and I don’t like Dependabot having more permissions than it strictly needs. It will only ever push to branches namespaced under dependabot, and I say as much in our Terms of Service, but it’s still not ideal. On the plus side, there’s no way that Dependabot can push to protected branches (like discourse’s master).

I feel we just have to hold off here till “fork and PR” is a thing, any luck talking to GitHub?

Not yet, but I’ll keep plugging away, and this is a good incentive!