Besides obtaining your email, deppbot will also be granted read/write permissions
to both your public and private repositories.
However, deppbot will ONLY access a repository after you Subscribe it on your Dashboard.
Based on our default daily schedule or your configured schedule, deppbot will do a bundle
update for the Gemfile in the repository. Then, deppbot will issue a Bundle Update Pull
Request to the repository for the changes made to Gemfile.lock.
If you use bundler v.1.10+, deppbot will preserve your BUNDLED_WITH section in the
Gemfile.lock. Read more about Bundler's BUNDLED_WITH
on Bundler's blog.
Besides a Bundle Update Pull Request, deppbot is also able to issue a Security Update Pull Request (feature launched on Christmas 2015). Basically deppbot detects and patches vulnerable ruby gems with secure versions.
For more information on how a Security Update Pull Request works, please refer to our announcement.
GitHub displays a Delete Branch button as soon as you close or merge a Pull Request.
We encourage you to use that!
For bundle updates, deppbot runs every day by default but has a configurable frequency of
3 days, 5 days, 1 week or 2 weeks that can be adjusted in Edit Settings for every subscribed
repository.
However, supposed the last run didn't yield any updates to Gemfile.lock, then deppbot will
run again the following day on your repository, and ignore the configured schedule.
For security updates, deppbot checks for ruby gem vulnerabilities several times a day because your application's security is our priority, and will issue a Pull Request as soon as a vulnerability is found.
There is an exception though: To ensure that the repository would not be spammed daily with deppbot's Pull Request, deppbot will only issue a new (Bundle or Security Update) Pull Request after the most recent Pull Request has been closed or merged.
Yes! You can modify the frequency with the options of 1 day, 3 days, 5 days, 1 week or 2
weeks in Edit Settings for every subscribed repository.
You might have subscribed a repository without a Gemfile or Gemfile.lock, i.e.
a ruby gem.
Essentially, in order for bundle update to work, Gemfile AND Gemfile.lock are required. Otherwise, deppbot will not be able to process your repository.
Your project is already up-to-date.
When deppbot processes your repository, it will be cloned to our server.
However, as soon as bundle update is done, the repository WILL BE DELETED IMMEDIATELY from our server.
Jolly Good Code employees will only access the account for the purpose of providing support.
deppbot depends on RubyGems.org API to obtain metadata (including the source URL) for a ruby gem. Therefore deppbot is sometimes unable to link to the source repository for ruby gems with incomplete metadata on RubyGems.org.
If you are a ruby gem author, you can help by updating your ruby gem's metadata on
https://rubygems.org/gems/[GEM-NAME]/edit.
In addition, deppbot is unable to link to ruby gems from https://rails-assets.org at the moment.
deppbot is unable to link to a Compare View on GitHub or BitBucket for ruby gems that do not have a version tag or revision SHA1 associated to a release on RubyGems.org.
We wanted to call it depbot, but the domain is not available. And, Johnny Depp is cool.