👋 Want to give us feedback on Dependabot, or contribute to it? That's great - thank you so much!
We are not currently accepting new ecosystems into dependabot-core
, starting in December 2020 until at least June 2021.
Dependabot has grown dramatically in the last two years since integrating with GitHub. We are now used by millions of repositories across 16 package managers. We aim to provide the best user experience possible for each of these, but we have found we've lacked the capacity – and in some cases the in-house expertise – to support new ecosystems in the last year. We want to be confident we can support each ecosystem we merge.
In the immediate future, we want to focus more of our resources on merging improvements to the ecosystems we already support. This does not mean that we are stopping work or investing less in this space - in fact, we're investing more, to make it a great user experience. This tough call means we can also provide a better experience for our contributors, where PRs don't go stale while waiting for a review.
We hope to be able to accept community contributions for ecosystem support again soon.
In dependabot-core
, each ecosystem implementation is in its own gem so you can use Dependabot for a language
we have not merged by creating a script to run your own gem or
fork of core, e.g. dependabot-lein-runner
Our plan in the year ahead is to invest more developer time directly in dependabot-core
to improve our architecture so
each ecosystem is more isolated and testable. We also want to make a consistency pass on existing ecosystems so that there
is a clearer interface between core and the language-specific tooling.
Our goal is make it easier to create and test Dependabot extensions so there is a paved path for running additional ecosystems in the future.
- Fork the project.
- Make your feature addition or bug fix.
- Add tests for it. This is important so we don't break it in a future version unintentionally.
- Send a pull request. The tests will run on it automatically, so don't worry if you couldn't get them running locally.
Getting set up to run all of the tests on Dependabot isn't as simple as we'd like it to be - sorry about that. Dependabot needs to shell out to multiple different languages to correctly update dependency files, which makes things a little complicated.
Assuming you're working on a single language, the best thing to do is just to install Ruby and the language you're working on as follows:
- Install rbenv (a Ruby version manager)
- Install the latest Ruby
- Install Bundler with
gem install bundler
(this is Ruby's package manager) - Install Dependabot's Ruby dependencies with
bundle install
- Install the language dependencies for whatever languages you're working on (see how we do it in CI)
- Run the tests for the file you're working on with
bundle exec rspec spec/dependabot/file_updaters/elixir/
(for example). They should be green (although might need an internet connection).
There's a good description of the project's layout in our README, but if you're struggling to understand how anything works please don't hesitate to create an issue.