It was recently announced that GitHub has acquired Dependabot. This is the latest in a string of big announcements, product news, and acquisitions from GitHub.
Via the announcement post:
Here's what you need to know:
- We're integrating Dependabot directly into GitHub, starting with security fix PRs 👮♂️
- You can still install Dependabot from the GitHub Marketplace whilst we integrate it into GitHub, but it's now free of charge 🎁
- We've doubled the size of Dependabot's team; expect lots of great improvements over the coming months 👩💻👨💻👩💻👨💻👩💻👨💻 Source
What are your reactions to this news?
Top comments (13)
This is awesome for developers short term because having this fully integrated will be really nice.
Longterm, it centralizes more power to Microsoft and weakens the ecosystem/platform concept a bit. I think it's always important to root for alternative options to remain relevant.
One thing about the centralization is that Dependabots core functionality is open source! And the blog post about the aquisition said it was the plan to keep it that way!
I hope this open core model might help fight some of this centralization by giving motivated individuals the ability to host their own alternative version
Great point
Agree, actually I haven't used or even heard of Dependabot until now but I've always added snyk.io to my Node.js projects. Will likely stick with them unless there's major benefits to GitHub's offering.
Agreed. Renovate is fantastic though and will give GH a run for their money.
I forgot! The creator of Dependabot has contributed code to dev.to.
Bumps nokogiri from 1.8.3 to 1.8.4.
Changelog
Sourced from nokogiri's changelog.
Commits
I generated this by using Dependabot, a tool I built, on my fork. Would love to get you using it - it's totally free for open source and always will be. Hopefully it can save you a bunch of time, but having more repos use it that have great test suites also helps keep the compatibility score numbers super robust, so is good for everyone.
And that's how we got Dependabot integrated into our project. We've been longtime users.
Should be valuable for teams with little time to do this themselves, and encourages good testing hygiene, so you can actually accept all the PRs coming your way from the bot :)
There are other options of course: Snyk (as mentioned elsewhere) and OWASP Dependency Check, both of which concentrate on matching package versions in use with know vulnerabilities, thereby focusing on security rather than keeping up with the latest major version.. YMMV.
I've said it a few times in the last few days since this announcement, but I couldn't be happier for the Dependabot team!
They make an amazing product and have always been amazingly helpful whenever I've had an issue. I've reached out a few times now just by mentioning them on one of my PRs, and EVERY time the founder has responded back to me very promptly and we've figures out the issue! Even as far as him shipping a code change within a few hours to fix an issue I was seeing!
Congrats on the aquisition guys, and can't wait for what's in the future!
This is awesome! I personally have been using Snyk which looks like does something very similar to Dependabot. Having security features like this built-in and for free are a plus.
Could somebody give me a 'for dummies' guide as to what Dependabot is and what it's benefits are? I'm seeing lots of positive things being said about it but am still a little unclear on what it is as it's my first time hearing the name.
From previous "Sponsor" post, it seems like GitHub's trying to make hard thing easy for devs by integrating'em into GitHub.
GitHub announces "GitHub Sponsors"
Peter Kim Frank ・ 1 min read
This actually a really good news! I loved Dependabot.
Is that the reason they are down? :)
Good Post tho.. now do remember who owns Github.