馃憢 Want to give us feedback on Dependabot, or contribute to it? That's great - thank you so much!
By submitting a contribution, you agree that contribution is licensed to GitHub under the MIT-0 license.
- Fork the project.
- Get the development environment running.
- Make your feature addition or bug fix.
- Add tests for it. This is important so we don't break it in a future version unintentionally.
- Send a pull request. The tests will run on it automatically, so don't worry if you couldn't get them running locally.
There's a good description of the project's layout in our README's Architecture section, but if you're struggling to understand how anything works please don't hesitate to create an issue.
- Commit messages matter. Here's how to write them well.
- We ask for one-commit-per-logical change. This generally results in one-commit-per-PR, but it's okay if a PR contains
multiple commits when it's easier to understand each commit as a distinct unit of work, but they must all be landed together.
A general rule of thumb is "What will make this code change simplest to understand for someone
git blamespelunking down the road?" - Because of 鈽濓笍 we will generally merge-via-squash. However, if a PR contains multiple commits that shouldn't be squashed, then we will typically merge via a merge commit and not a rebase since merge-via-rebase can break
git bisect.
If you are an ecosystem maintainer and are interested in integrating with Dependabot, and are willing to help provide the expertise necessary to build and support it, please open an issue and let us know.
In dependabot-core, each ecosystem implementation is in its own gem so you can use Dependabot for a language
we have not merged by creating a script to run your own gem or
fork of core, e.g. dependabot-lein-runner
Our plan in the year ahead is to invest more developer time directly in dependabot-core to improve our architecture so
each ecosystem is more isolated and testable. We also want to make a consistency pass on existing ecosystems so that there
is a clearer interface between core and the language-specific tooling.
Our goal is make it easier to create and test Dependabot extensions so there is a paved path for running additional ecosystems in the future.
We have begun using a Stalebot action to help keep the Issues and Pull requests backlogs tidy. You can see the configuration here. If you'd like to keep an issue open after getting a stalebot warning, simply comment on it and it'll reset the clock.