DEV Community

Peter Kim Frank
Peter Kim Frank Subscriber

Posted on

GitHub acquires Dependabot

It was recently announced that GitHub has acquired Dependabot. This is the latest in a string of big announcements, product news, and acquisitions from GitHub.

Via the announcement post:

Here's what you need to know:

  • We're integrating Dependabot directly into GitHub, starting with security fix PRs 👮‍♂️
  • You can still install Dependabot from the GitHub Marketplace whilst we integrate it into GitHub, but it's now free of charge 🎁
  • We've doubled the size of Dependabot's team; expect lots of great improvements over the coming months 👩‍💻👨‍💻👩‍💻👨‍💻👩‍💻👨‍💻 Source

What are your reactions to this news?

Top comments (13)

Collapse
 
ben profile image
Ben Halpern

This is awesome for developers short term because having this fully integrated will be really nice.

Longterm, it centralizes more power to Microsoft and weakens the ecosystem/platform concept a bit. I think it's always important to root for alternative options to remain relevant.

Collapse
 
coreyja profile image
Corey Alexander

One thing about the centralization is that Dependabots core functionality is open source! And the blog post about the aquisition said it was the plan to keep it that way!

I hope this open core model might help fight some of this centralization by giving motivated individuals the ability to host their own alternative version

Collapse
 
ben profile image
Ben Halpern

Great point

Collapse
 
sunnysingh profile image
Sunny Singh

Agree, actually I haven't used or even heard of Dependabot until now but I've always added snyk.io to my Node.js projects. Will likely stick with them unless there's major benefits to GitHub's offering.

Collapse
 
abraham profile image
Abraham Williams

Agreed. Renovate is fantastic though and will give GH a run for their money.

Collapse
 
ben profile image
Ben Halpern

I forgot! The creator of Dependabot has contributed code to dev.to.

Bump nokogiri from 1.8.3 to 1.8.4 #297

greysteil avatar
greysteil commented on Aug 09, 2018

Bumps nokogiri from 1.8.3 to 1.8.4.

Changelog

Sourced from nokogiri's changelog.

1.8.4 / 2018-07-03

Bug fixes

  • [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771]
Commits

Dependabot compatibility score

I generated this by using Dependabot, a tool I built, on my fork. Would love to get you using it - it's totally free for open source and always will be. Hopefully it can save you a bunch of time, but having more repos use it that have great test suites also helps keep the compatibility score numbers super robust, so is good for everyone.

And that's how we got Dependabot integrated into our project. We've been longtime users.

Collapse
 
phlash profile image
Phil Ashby

Should be valuable for teams with little time to do this themselves, and encourages good testing hygiene, so you can actually accept all the PRs coming your way from the bot :)

There are other options of course: Snyk (as mentioned elsewhere) and OWASP Dependency Check, both of which concentrate on matching package versions in use with know vulnerabilities, thereby focusing on security rather than keeping up with the latest major version.. YMMV.

Collapse
 
coreyja profile image
Corey Alexander

I've said it a few times in the last few days since this announcement, but I couldn't be happier for the Dependabot team!

They make an amazing product and have always been amazingly helpful whenever I've had an issue. I've reached out a few times now just by mentioning them on one of my PRs, and EVERY time the founder has responded back to me very promptly and we've figures out the issue! Even as far as him shipping a code change within a few hours to fix an issue I was seeing!

Congrats on the aquisition guys, and can't wait for what's in the future!

Collapse
 
sunnysingh profile image
Sunny Singh

This is awesome! I personally have been using Snyk which looks like does something very similar to Dependabot. Having security features like this built-in and for free are a plus.

Collapse
 
katieadamsdev profile image
Katie Adams

Could somebody give me a 'for dummies' guide as to what Dependabot is and what it's benefits are? I'm seeing lots of positive things being said about it but am still a little unclear on what it is as it's my first time hearing the name.

Collapse
 
dance2die profile image
Sung M. Kim

From previous "Sponsor" post, it seems like GitHub's trying to make hard thing easy for devs by integrating'em into GitHub.

Collapse
 
ahmadawais profile image
Ahmad Awais ⚡️

This actually a really good news! I loved Dependabot.

Collapse
 
joehobot profile image
Joe Hobot

Is that the reason they are down? :)

Good Post tho.. now do remember who owns Github.