Fully divesting from the Dependabot ecosystem. Unless you are in the tooling space of GitHub's own code (JS, Go, Ruby) then it's effectively abandonware.
We've been sampling Renovate for a long time now in open source and lately for internal repos to great effect. It's never been a priority to switch, but it always felt inevitable.
Today my personal tipping point was reached. So it's now rolled out on a bunch of cashapp repos. Tomorrow I'll continue with some square repos and my personal ones.
@msfjarvis It had a huge ramp up and then seemingly just stopped. I actually would rather it not even try for some of the tools it purports to support (like Gradle).
@jw Agreed, when they got acquired by GitHub they basically disappeared off the face of the Earth while they were integrating Dependabot into GitHub's monolith and the development velocity just never recovered.
@jw I’ve really liked Renovate on personal projects. Being able to enable auto-submit for patch dependency updates is 👌
@jw I've recently set up Renovate to run in our private repos. It works really well specially for projects that migrated to toml catalogs, but it's a pretty basic setup running the GitHub Action (not the app) twice a day from Gihub runners, which take way too long. What does your setup look like for non-openspurce? Do you use the free Github app or do you self-host?
@GSala We self hosted because it connects to our internal Artifactory for bumping internal dependencies, too.
@jw what's wrong with Dependabot exactly? I'm a GitLab user, so I know it exists but it's not compatible so I never looked deeper into it
@clovis For the Android/Java/Kotlin/Gradle ecosystem, at least, it doesn't support updating the Gradle wrapper, Gradle version catalogs, or Gradle version lock files. Issues have been open for years. So if you use best practices it effectively doesn't work on anything for you.
Development seems to only really be focused on the ecosystems that GitHub itself uses and others are left behind.
@jw Everytime I've wanted to do something specific it's been like "there's a 3 year old issue for it in Dependabot" and with Renovate it's either a quick regex manager away or has just always worked perfectly. I feel Dependabot is understaffed to some extent but it's still inexcusably bad for what it promises.