Here’s how Depfu works
Depfu is like a colleague who sends you pull requests with all the info you need about a update. You stay in control if and when to merge.
We support all Ruby projects using Bundler. With or without a Gemfile.lock.
We support all Elixir projects using Hex. Lock files are handled automatically.
Simply connect your Github or Gitlab repo with Depfu. That’s it.
- A UI based setup flow lets you choose which repos you want Depfu to have access to and run on.
- You don’t need to add any files to your repo or change any settings in Github or Gitlab manually.
- All interaction with your repo happen via the API. We never clone your repo, not even temporarily.
With Github Apps you have fine-grained control over which of your repos you want Depfu to see.
With Gitlab we add our bot-user to the repo and install a webhook that informs us about relevant changes.
We check what's outdated and start by sending you 3 pull requests.
- If you have any security vulnerabilities in your dependencies, you'll get PRs for those first.
- We'll send you 3 easy updates, so you can see our PRs and hopefully merge them right away.
- Once you merge or close a PR we'll send you another one until you're up-to-date, but never more than 7 at the same time.
The whole picture
- The dashboard shows you the state of your dependencies and what Depfu is up to right now.
- Since we limit the number of open PRs there might be a backlog of queued updates, which you can control from the dashboard.
- You can also pause updates for a dependency if you know you're stuck on an old version.
Every team works differently
- Decide on your preferred update strategy and configure Depfu to send you individual updates, recurring grouped updates or only security updates.
- Customize the branch format and commit message. Decide if you want to add labels to the PRs and assign anyone or request a review.
- Set up your private package repositories.
All the info you need to make an informed decision about a dependency update
What changed? We gather everything we can find about the new version, from release notes, the project's changelog to all commits for that version. So you don’t need to hunt that down yourself over and over again.
Knowing if your tests pass is half the battle! The majority of updates can be applied without any changes – we have the data to prove it. For the rest the PR is a good place to start fixing the issues.
Take a look at the example repo to see our pull requests in action.
Don't care about every. single. version?
If you enable the reasonably up-to-date strategy, Depfu "matures" new versions depending on the library's past release frequency instead of opening a PR right away.
None of your dependencies will be more than one month behind.
Releases vs PRs per week for an average npm project with 65 direct dependencies.
- Number of actual releases
- Number of Depfu PRs
This reduces the number of PRs per week compared to sending you every new version by roughly 50% — sometimes more, sometimes less.
Get a single, recurring pull request
Depfu also supports sending you a single weekly/biweekly/monthly PR that updates all your outdated dependencies at once.
This works well for smaller projects and projects in low maintenance mode or if you prefer a constant rhythm for your dependency updates.
If it hurts, do it more often
We strongly believe in doing small updates continuously instead of waiting until you're quite behind and having to update everything at once. It's actually less work and less risk.
All plans start with a 21-day free trial.
No credit card required.