Edit: copy/pasting my more extensive comment from the Sponsors thread.<p>All the recent additions to Github are superficially very nice and convenient features (Actions, package registry, Sponsors, Dependabot).<p>But they represent a very significant change in mindset. Github is turning from a neutral code hosting platform with a myriad of equally empowered third party integrations into the direction of a "all in one" dev tool and platform.<p>I understand the internal pressures to do this: increased popularity, added value proposition for customers, more revenue.<p>But: all the built-in tools will have an inherent advantage over third party solutions. This inevitably leads to increased lock-in and homogenization.<p>I was very critical of the Microsoft acquisition for similar reasons, and considering the monumental role Github represents for open source today, I am very sceptical of the way things are going.<p>We might very well regret centralizing everything open source around Github in a few years.
Curious about the side effects of this.<p>Imagine you had an open source project that was just something on the side or you worked on in a different life. And then you see pull requests for updates and decide to fix a bug here or there. And then maybe it prompts you to recommit to it.<p>If that were to apply to even a tiny percentage across all of Github could have major implications for open source as a whole.
Did GitHub just activate this without confirmation or notification? I'm suddenly receiving PR's on my repo's from dependabot without ever activating this tool.<p>Edit: looks like they defaulted to enable "Automated security fixes" on the Security > Alerts tab.
Congrats to the Dependabot team!<p>I've had the pleasure of reaching out to Dependabot a few times when I've had issues or problems and you guys have always been super responsive and quick to fix any bugs!<p>Congrats again on joining Github! And excited to see whats next for Dependabot!
Congrats guys! For anyone interested, here's an interview on how Dependabot started:
<a href="https://www.indiehackers.com/interview/living-off-our-savings-and-growing-our-saas-to-740-mo-696f9b110f" rel="nofollow">https://www.indiehackers.com/interview/living-off-our-saving...</a>
Huge congrats to Dependabot team! If you're starting a new project in Python (+ others), having Dependabot + CircleCI (or something equivalent) + Strong test coverage will save you hundreds of hours (eventually).<p>Best trick is to make sure your test coverage is strong early (I know this is easier said than done ...), then you can just merge updated requirements without ever worrying.<p>GitHub has a type of service that would check requirements already, it just never felt as polished as Dependabot. But it goes to show how far a committed team can prioritize over bigger players. IIRC, they still use Heroku, which seems like a lot of discipline in prioritizing the right product features over just building tech stacks in BigCloudProviders.
That makes so much sense! A more secure open source world, a better product for our close projects and two amazing tools merging. Love it!<p>Dependabot, you did well, build a fantastic tool, now join the rocketship and kick ass!