We wrapped up and polished a few smaller features recently that we had working in one form or another for individual customers. Let me tell you about them:


This does exactly what you think it does: Depfu will automatically merge a PR if and when all the status checks come back green.

You can configure to only auto-merge development or runtime dependencies and even specifically limit by SemVer type for very fine grained control.

⚠️ We advise to use this feature very cautiously: with compromised packages and continuous deployment you could quickly get into trouble. But for some projects it can make a lot of sense. You can also combine it with our reasonably up-to-date feature, which always waits at least 7 days before sending you the PR, to get a bit more safety.


Nightshift allows you to constrain the Depfu scheduler to a certain time of day and certain days of the week. This way you can tell Depfu to only send you PRs during your night time or during the weekend.

There are two main benefits:

  • Less PR noise during your working day and PRs are ready for you in the morning.
  • Depfu is not competing at all with your normal work, so we don’t use up CI capacity which could cause your developers to wait.

All security updates and manually triggered rebases will run outside of those limited hours, of course.


With Github apps you either select individual repos Depfu should run on or you select “all” repos. Originally, Depfu didn’t work with the “all” option, since we preferred to not have so much access.

But we had a few requests for enabling Depfu on every repo in an organization by default, especially from our Enterprise customers. So now you can! After selecting “all” in Github you can either choose individual repos yourself in Depfu or you enable Auto-Activation.

Auto-Activation enables all of your repos which are supported by Depfu. We also enable all future repos and repos that were initially empty, but later introduce package manager files we understand.

You can decide which update strategy newly activated repos should start with, for example by setting all of them to “Security Updates only” and then select other strategies individually per repo.


We’re always looking for small (and big) things that make your life with Depfu easier, smoother and calmer. So please don’t hold back on any feedback, we’re listening on Twitter and via email.