🤖 The core logic behind Dependabot's update PR creation, and the public issue tracker for all things Dependabot
Welcome to the public home of Dependabot. This repository serves 2 purposes:
Please file an issue. Bug reports, feature requests, and general feedback are all welcome.
Currently, the Dependabot team is not accepting support for new ecosystems. We are prioritising upgrades to already supported ecosystems at this time.
Please refer to the CONTRIBUTING guidelines for more information.
If you believe you have found a security vulnerability in Dependabot please submit the vulnerability to GitHub Security Bug Bounty so that we can resolve the issue before it is disclosed publicly.
In addition to this library, you may be interested in:
To run all of Dependabot Core, you'll need Ruby, Python, PHP, Elixir, Node, Go, Elm, and Rust installed. However, if you just wish to run it for a single language you can get away with just having that language and Ruby.
To install the helpers for each language:
cd npm_and_yarn/helpers && npm install --production && cd -
cd composer/helpers && composer install --no-dev && cd -
cd python/helpers && pyenv exec pip install -r requirements.txt && cd -
cd hex/helpers && mix deps.get && cd -
cd terraform && helpers/build "$(pwd)/helpers/install-dir/terraform" && cd -
cd go_modules && helpers/build "$(pwd)/helpers/install-dir/go_modules" && cd -
Run the tests by running
rspec specinside each of the packages. Style is enforced by RuboCop. To check for style violations, simply run
rubocopin each of the packages.
While you can run Dependabot Core without Docker, we also provide a development Dockerfile. In most cases, you'll be better off running Dependabot in the development Docker container as it bakes in all required dependencies.
Start by building the initial Dependabot Core image, or pull it from the Docker registry.
$ docker pull dependabot/dependabot-core # OR $ docker build -f Dockerfile -t dependabot/dependabot-core . # This may take a while
Once you have the base Docker image, you can build and run the development container using the
docker-dev-shellscript. The script will automatically build the container if it's not present and can be forced to rebuild with the
--rebuildflag. The image includes all dependencies, and the script runs the image, mounting the local copy of Dependabot Core so changes made locally will be reflected inside the container. This means you can continue to use your editor of choice while running the tests inside the container.
$ bin/docker-dev-shell => building image from Dockerfile.development => running docker development shell [dependabot-core-dev] ~/dependabot-core $
Note: you must have run
bundle installin the
omnibusdirectory before running this script.
You can use the "dry-run" script to simulate a dependency update job, printing the diff that would be generated to the terminal. It takes two positional arguments: the package manager and the GitHub repo name (including the account):
$ cd omnibus && bundle install && cd - $ bin/dry-run.rb go_modules rsc/quote => fetching dependency files => parsing dependency files => updating 2 dependencies ...
There's built-in support for leveraging Visual Studio Code's ability for debugging inside a Docker container. After installing the recommendedextension, simply press
⇧⌘Pon macOS) and select
Remote-Containers: Reopen in Container. You can also access the dropdown by clicking on the green button in the bottom-left corner of the editor. If the development Docker image isn't present on your machine, it will be built automatically. Once that's finished, start the
Debug Dry Runconfiguration
(F5)and you'll be prompted to select a package manager and a repository to perform a dry run on. Feel free to place breakpoints on the code.
Triggering the jobs that will push the new gems is done by following the steps below.
git checkout mainand
version.rb, and the rest of the needed commands:
CHANGELOGfile and remove any entries that aren't needed
Dependabot Core is a collection of Ruby packages (gems), which contain the logic for updating dependencies in several languages.
commonpackage contains all general-purpose/shared functionality. For instance, the code for creating pull requests via GitHub's API lives here, as does most of the logic for handling Git dependencies (as most languages support Git dependencies in one way or another). There are also base classes defined for each of the major concerns required to implement support for a language or package manager.
There is a gem for each package manager or language that Dependabot supports. At a minimum, each of these gems will implement the following classes:
| Service | Description | |------------------|-----------------------------------------------------------------------------------------------| |
FileFetcher| Fetches the relevant dependency files for a project (e.g., the
Gemfile.lock). See the README for more details. | |
FileParser| Parses a dependency file and extracts a list of dependencies for a project. See the README for more details. | |
UpdateChecker| Checks whether a given dependency is up-to-date. See the README for more details. | |
FileUpdater| Updates a dependency file to use the latest version of a given dependency. See the README for more details. | |
MetadataFinder| Looks up metadata about a dependency, such as its GitHub URL. See the README for more details. | |
Version| Describes the logic for comparing dependency versions. See the hex Version class for an example. | |
Requirement| Describes the format of a dependency requirement (e.g.
>= 1.2.3). See the hex Requirement class for an example. |
The high-level flow looks like this:
This is a "meta" gem, that simply depends on all the others. If you want to automatically include support for all languages, you can just include this gem and you'll get all you need.
You can profile a dry-run by passing the
--profileflag when running it. This will generate a
stackprof-.dumpfile in the
tmp/folder, and you can generate a flamegraph from this by running:
stackprof --d3-flamegraph tmp/stackprof-.dump > tmp/flamegraph.html.
As the name suggests, Dependabot Core is the core of Dependabot (the rest of the app is pretty much just a UI and database). If we were paranoid about someone stealing our business then we'd be keeping it under lock and key.
Dependabot Core is public because we're more interested in it having an impact than we are in making a buck from it. We'd love you to use Dependabot so that we can continue to develop it, but if you want to build and host your own version then this library should make doing so a lot easier.
If you use Dependabot Core then we'd love to hear what you build!
We use the License Zero Prosperity Public License, which essentially enshrines the following: - If you would like to use Dependabot Core in a non-commercial capacity, such as to host a bot at your workplace, then we give you full permission to do so. In fact, we'd love you to and will help and support you however we can. - If you would like to add Dependabot's functionality to your for-profit company's offering then we DO NOT give you permission to use Dependabot Core to do so. Please contact us directly to discuss a partnership or licensing arrangement.
If you make a significant contribution to Dependabot Core then you will be asked to transfer the IP of that contribution to Dependabot Ltd so that it can be licensed in the same way as the above.
Dependabot and Dependabot Core started life as Bump and Bump Core, back when Harry and Grey were working at GoCardless. We remain grateful for the help and support of GoCardless in helping make Dependabot possible - if you need to collect recurring payments from Europe, check them out.