> There's an issue where security alerts for uv projects are not working correctly. Specifically, the uv.lock file is not being updated when security alerts are triggered.
— https://github.com/dependabot/dependabot-core/issues/10478#i...
I was expecting it to be replaced once they announced they were integrating Endor Labs into their GitHub Advanced Security enterprise offerings but all the news I've heard since that announcement has been focused on merging into Microsoft & AI-related layoffs so I presume someone just forgot to turn the Dependabot light off as they were leaving.
We are using something heavily derived from https://github.com/romoh/dependencies-autoupdate
esafak•4w ago
rmunn•4w ago
Second question: could you expand a little bit on why you like renovate better than dependabot? I can see how the regex handler could be useful for a lot of custom scenarios, but what else makes you say that renovate is the better product?
esafak•4w ago
I particularly like its ability to synchronize updates to packages across ecosystems. You can sync a tool's version in Docker, mise, and GHA, for example. You can run arbitrary post-upgrade tasks.
baby_souffle•4w ago
The bigger concern is that you're effectively letting them (shallow) clone your repo. I prefer to self-host but that's not anywhere near as quick/easy as clicking the "integrate with GitHub" button.
> Second question: could you expand a little bit on why you like renovate better than dependabot?
They both do the same thing in about the same way... Dependabot is meant to be run at _massive_ scale across all of github so it has good support for the basic / common places people pin versions. It is quite slow to get support for newer conventions that are not ubiquitous across all of github. Easy example: k8s manifests where you might have "use $thisVersion of HelmChart" buried somewhere in yaml instead of in a clear-cut place like `requirements.txt`
Renovate has optional web UI and can be integrated with GitHub as an "app" for some interactive features but that's not worth the setup for small scale.
Renovate is _much_ more robust / the number of $things that it can detect and is a lot more extensible; as mentioned elsewhere in this thread, the regex feature is delightful. It's a pain to debug, but once you grock it / figure out how the custom regex stuff works, it's really nice.
I have more than a few scripts where the only versioned dependency is embedded in some URL:
``` wget http://github.com/some-repo/releases/v1.2.3/the-tool.tar.gz ```
And after a bit of regex work, renovate now knows to check that repos release page for updated versions and when it finds one, it updates the URL and pings me with a PR.
jamietanna•4w ago
Before I joined Mend to work on Renovate, I wrote https://news.ycombinator.com/item?id=40011111 which goes into some ways I found Renovate better than Dependabot, and it still very much holds true (although I'm a little more biased now!)
You can also check out https://docs.renovatebot.com/bot-comparison/ for a high level comparison between the two
Re costs / why giving things away for free - @rarkins (Rhys Arkins, who created Renovate) has worked very hard over the years to give as much good stuff away to the community, and make it more straightforward for folks to run Renovate
The core (Mend Renovate CLI (AGPL-3.0-only)) is free to use and run as you want, and many folks do - it's very flexible and scales well as-is
But if you want things like real-time webhook processing of "rebase this PR" (and/or a few other features) then Mend Renovate Self-Hosted Community (commercial-but-free) Edition is a nice packaging and layer on top of the CLI for that
Running the CLI itself on a schedule against your repos is also absolutely viable as a solution, and we have many users who do that and are super happy with it
rtpg•4w ago
Dependabot integrates decently well with Github of course but so far renovate has worked well for us.
tasuki•4w ago
Hooked? I always look how to turn it off. I never once found it useful.