Florian Munz, Co-Founder at Depfu

Dependency updates are important, but almost always not more important than the work your team is doing.

At Depfu our goal is to build a service that really helps your team stay up-to-date without getting annoying or in the way.

We got a lot of feedback about how Depfu’s pull requests affect your CI system and we just shipped a few improvements to make sure we’re not monopolizing your CI and blocking more important work.

Creating pull requests right away

In the past we waited with the creation of the pull request until we knew the CI results from the branch we pushed. While that still make sense in certain cases for Ruby library projects, we now push the branch and create the pull request at the same time.

That allows you to minimize the amount of builds caused by Depfu by configuring your CI to only build pull requests or specifically blacklist our topic branches. Which is also a common config where Depfu now works out of the box.

Limiting concurrent builds

Most CI services and systems have a limit of concurrent builds. Depfu now tracks how many builds are currently running for your Github organization and schedules new updates so that we never use more than 1 concurrent slot of your CI. This hopefully leaves enough room for your other work and prevents Depfu from hogging your CI when there are a lot of updates at the same time or when we have to rebase multiple open PRs.

Limiting in progress dependency updates

The “work in progress” limit is a core concept from Kanban. Limiting the amount of WIP improves throughput and reduces the amount of work “nearly done” by forcing the team to focus on a smaller set of tasks.

We’re seeing that the most successful teams using Depfu are merging pull requests quite often and not leaving many of them open at the same time. If pull requests start to pile up it gets harder to handle them and also the chance of merge conflicts gets bigger. Depfu does handle merge conflicts automatically, but it’s causing more work for your CI, because it needs to run the build again for all the “rebased” branches.

We decided to experiment with a limit for open Depfu pull requests on a repo. If you’re merging PRs regularly you’ll never notice the limit and if you’re behind on merging it prevents you ending up with a huge list of open PRs. As soon as you’re below the limit again we’ll send you the queued up updates.

We think the “in progress” limit makes managing dependency updates a lot easier. We’re also working on special handling for security updates, so that you will always get those right away.

Talk to us

We’re here to make Depfu useful for you! Please let us know what you think about these changes and how they affect your use of Depfu. If you have any other suggestions, we’re always listening. Let us know on Twitter or via email.