Here’s how Depfu works

Depfu is like a colleague who sends you pull requests with all the info you need about a update. You stay in control if and when to merge.

Enable the Depfu Github App on your public or private repo. It's done in less than a minute.

We support all Ruby projects using Bundler. With or without a Gemfile.lock.

We support all JavaScript projects using npm or Yarn. Lock files are handled automatically.

Simply connect your Github repo with Depfu. That’s it.

  • Depfu connects to Github via their API. With the new Github Apps you have fine-grained control over which of your repos you want Depfu to see and keep up-to-date.
  • You don’t need to add any files to your repo or change any Github settings manually.
  • All interaction with your repo happen via the GitHub API. We never clone your repo, not even temporarily.

We keep track of new versions so you don’t have to

Once we have parsed your Gemfile or package.json we know exactly which libraries and versions you depend on. For every new version of a library you depend on we create a branch. In the branch we change your Gemfile or package.json to pull in the new version. We rely on your CI to trigger a test run for the branch (or pull request) we created.

Automatically integrates with your CI service

Knowing if your tests pass with a new version of a dependency is half the battle. To integrate with your CI, Depfu is using the Github Status API which is supported by pretty much all CI services from Travis-CI to your own Jenkins instance. That means we don’t actually run any of your tests ourselves, but we rely on your CI to test branches and pull requests and report the results back to Github.

All the info you need to make an informed decision about a dependency update

Get notifed about the new version right in your code, with a Github Pull Request. No emails and no need for you to check a website repeatedly.

What changed? We gather everything we can find about the new version, from Github release notes, the project's changelog to all commits for that version. So you don’t need to hunt that down yourself over and over again.

You know right away if your code works with the new version or not, since the PR triggers a test run. If it doesn’t the pull request is a good place to start working on fixing the issues.

Take a look at the example repo to see our pull requests in action.

"The direct link to the changelog and the list of commits allow me to quickly look at the changeset, which is very helpful when trying to determine if there is any commit that requires additional investigation."
Simone Carletti
CTO, dnsimple

You stay in control

In the ideal case all you need to do now is to click that merge button. It’s up to you assess the risk using the details from the pull request. Only you know your code base and your test coverage and can decide how risky that upgrade is. So you decide if and when to merge.

Let Depfu take all the boring work of keeping your dependencies up to date off your shoulders and, optimally, boil it all down to a few clicks. This is as close to fully automatic as we could possibly make it.

Your code is safe with us

Uncomfortable giving us access to your code? Don’t worry, we get it. Our mission is to help you keep your dependencies up to date, nothing more. We understand the security of your company’s source code is extremely important and we’ve built Depfu with that in mind. Read our security documentation about what kind of access we need and why.

If this is a blocker for you please contact us, we’re working on several alternative strategies that require less permissions on Github.