Here’s how Depfu works

Depfu is like a colleague who sends you pull requests with all the info you need about a update. You stay in control if and when to merge.

We support Ruby projects using Bundler.

We support JavaScript projects using npm, Yarn and pnpm.

We support PHP projects using Composer.

We support Elixir projects using Hex.

Simply connect your Github or Gitlab repo with Depfu. That’s it.

  • A UI based setup flow lets you choose which repos you want Depfu to have access to and run on.
  • You don’t need to add any files to your repo or change any settings in Github or Gitlab manually.
  • All interaction with your repo happen via the API. We never clone your repo, not even temporarily.
Github logo

With Github Apps you have fine-grained control over which of your repos you want Depfu to see.

Gitlab logo

With Gitlab we add our bot-user to the repo and install a webhook that informs us about relevant changes.

We check what's outdated and start by sending you 3 pull requests.

  • If you have any security vulnerabilities in your dependencies, you'll get PRs for those first.
  • We'll send you 3 easy updates, so you can see our PRs and hopefully merge them right away.
  • Once you merge or close a PR we'll send you another one until you're up-to-date, but never more than 7 at the same time.

The whole picture

  • The dashboard shows you the state of your dependencies and what Depfu is up to right now.
  • Since we limit the number of open PRs there might be a backlog of queued updates, which you can control from the dashboard.
  • You can also pause updates for a dependency if you know you're stuck on an old version.

Every team works differently

  • Decide on your preferred update strategy and configure Depfu to send you individual updates, recurring grouped updates or only security updates.
  • Customize the branch format and commit message. Decide if you want to add labels to the PRs and assign anyone or request a review.
  • Set up your private package repositories.

All the info you need to make an informed decision about a dependency update

What changed? We gather everything we can find about the new version, from release notes, the project's changelog to all commits for that version. So you don’t need to hunt that down yourself over and over again.

Knowing if your tests pass is half the battle! The majority of updates can be applied without any changes – we have the data to prove it. For the rest the PR is a good place to start fixing the issues.

Take a look at the example repo to see our pull requests in action.

"The direct link to the changelog and the list of commits allow me to quickly look at the changeset, which is very helpful when trying to determine if there is any commit that requires additional investigation."
Simone Carletti
CTO, dnsimple

Don't care about every. single. version?

If you enable the reasonably up-to-date strategy, Depfu "matures" new versions depending on the library's past release frequency instead of opening a PR right away.

None of your dependencies will be more than one month behind.

Releases vs PRs per week for an average npm project with 65 direct dependencies.

  • Number of actual releases
  • Number of Depfu PRs

This reduces the number of PRs per week compared to sending you every new version by roughly 50% — sometimes more, sometimes less.

Get a single, recurring pull request

Depfu also supports sending you a single weekly/biweekly/monthly PR that updates all your outdated dependencies at once.

This works well for smaller projects and projects in low maintenance mode or if you prefer a constant rhythm for your dependency updates.

Security vulnerabilities

Get actionable PRs instead of emails! We sync with open-source DBs and Github's security alerts to send you a PR with the new version as quickly as possible. These will always jump the queue.

Brings you up-to-date

We drip-feed you updates if you're behind, but never open more than 7 PRs at once to not overwhelm you. This way, we bring you up-to-date one dependency at a time at your own pace.

If it hurts, do it more often

We strongly believe in doing small updates continuously instead of waiting until you're quite behind and having to update everything at once. It's actually less work and less risk.

Your code is safe with us

We understand the security of your company’s source code is extremely important and we’ve built Depfu with that in mind. You can also run your own instance with Depfu Enterprise.