Here’s how Depfu works

Depfu is like a collegue who sends you pull requests with all the info you need about a gem update. You stay in control if and when to merge.

Activate your public or private Github repo after signing up on the Depfu website, just like on Travis-CI. That’s all you need to do.

We currently support all Ruby projects using Bundler. More languages coming soon!

You need to have CI integrated with your Github repo via the status API to get the most out of Depfu.

Simply connect your Github repo with Depfu. That’s it.

  • Depfu connects to Github via their OAuth API. We fetch a list of all your repos and you decide for each of them if you want to enable Depfu.
  • You don’t need to add any files to your repo or change any Github settings manually.
  • Once you enable a repo we fetch the Gemfile and Gemfile.lock to find out which Rubygems you depend on and start monitoring them for new versions.
  • We install a webhook on your repo that informs us about changes to your Gemfile, so we always know if you add or remove a library.
  • All interaction with your repo happens via the GitHub API. We never clone your repo, not even temporarily.

We keep track of new versions so you don’t have to

Once we have parsed your Gemfile and Gemfile.lock we know exactly which gems and versions you depend on. We connect to rubygems.org to listen for new releases. For every new version of a gem that you depend on we create a branch. In the branch we change your Gemfile and/or Gemfile.lock to pull in the new version. We rely on your CI to trigger a test run for the branch (or pull request) we created.

Automatically integrates with your CI service

Knowing if your tests pass with a new version of a dependency is half the battle. To integrate with your CI, Depfu is using the Github Status API which is supported by pretty much all CI services from Travis-CI to your own Jenkins instance. That means we don’t actually run any of your tests ourselves, but we rely on your CI to test branches and pull requests and report the results back to Github.

All the info you need to make an informed decision about a dependency update

Get notifed about the new version right in your code, with a Github Pull Request. No emails and no need for you to check a website repeatedly.

We notify you after we ran your tests with the new version. So you know right away if your code works or not. If it doesn’t the pull request is a good place to start working on fixing the issues.

What changed? We gather everything we can find about the new version, from Github release notes, the project's changelog to all commits for that version and put it in the pull request. So you don’t need to hunt that down yourself over and over again.

You stay in control

In the ideal case all you need to do now is to click that merge button. It’s up to you assess the risk using the details from the pull request. Only you know your code base and your test coverage and can decide how risky that upgrade is. So you decide if and when to merge.

Let Depfu take all the boring work of keeping your dependencies up to date off your shoulders and, optimally, boil it all down to a few clicks. This is as close to fully automatic as we could possibly make it.

Your code is safe with us

Uncomfortable giving us access to your code? Don’t worry, we get it. Our mission is to help you keep your dependencies up to date, nothing more. We understand the security of your company’s source code is extremely important and we’ve built Depfu with that in mind. Read our security documentation about what kind of access we need and why.

If this is a blocker for you please contact us, we’re working on several alternative strategies that require less permissions on Github.