How Dependabot Actually Works
4 months ago
- #dependabot
- #dependency-management
- #open-source
- GitHub, GitLab, and Gitea offer dependency tracking and automated updates, but premium or closed-source features dominate.
- Dependabot-core, a key part of GitHub's dependency tooling, is MIT-licensed and written in Ruby, making it a starting point for open-source alternatives.
- Dependabot is not a bot but a stateless Ruby library, with proprietary GitHub infrastructure handling coordination and state tracking.
- In May 2024, GitHub relicensed dependabot-core under MIT, but the scheduling and coordination parts remain proprietary.
- The dependabot-core repository supports 25+ package ecosystems with idiosyncratic naming, differing from standards like PURL.
- Each ecosystem in dependabot-core implements four core classes: FileFetcher, FileParser, UpdateChecker, and FileUpdater.
- Dependabot-core shells out to native package managers, bundling multiple versions of tools like Python and npm.
- The npm ecosystem in dependabot-core includes patches and forks for compatibility, such as a fork of Yarn 1.x.
- Bundler in dependabot-core is heavily monkey-patched to handle SSH URLs, $LOAD_PATH, and Ruby version metadata.
- The test suite includes a fake 'silent' package ecosystem for testing without real registries.
- NuGet integration pulls in the NuGet.Client repository as a git submodule.
- Dependabot-core is stateless, requiring all context to be provided in the job definition for each run.
- GitHub's proprietary infrastructure handles scheduling, PR state tracking, rate limiting, and CVE matching.
- dependabot-gitlab demonstrates an open-source coordinator for GitLab, tracking state in PostgreSQL.
- Polling is the current model, but event-driven updates could reduce unnecessary registry lookups.
- An event-driven approach would require a dependency index, registry watchers, and webhook receivers.
- Renovate has a similar architecture, with open-source CLI but closed-source scheduler and coordination.
- The challenge is building an open-source, event-driven coordinator around dependabot-core.