Data

Tools

Indexes

Applications

Experiments

Open Source Science

dependabot

An open index of dependabot pull requests across open source projects on GitHub.

https://github.com/ecosyste-ms/dependabot

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Committers with academic emails
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.3%) to scientific vocabulary

Keywords from Contributors

annotation optim sequences interactive network-simulation yolov5 hacking agents embedded scheduling
Last synced: 6 months ago · JSON representation ·

Repository

An open index of dependabot pull requests across open source projects on GitHub.

Basic Info
Statistics
  • Stars: 2
  • Watchers: 2
  • Forks: 0
  • Open Issues: 5
  • Releases: 0
Created 9 months ago · Last pushed 6 months ago
Metadata Files
Readme License Citation

README.md

Ecosyste.ms: dependabot

An open index of Dependabot pull requests and security advisories across open source projects, providing insights into dependency update patterns and security vulnerability management.

What is this?

This service tracks and analyzes Dependabot pull requests across GitHub repositories, helping package maintainers, security researchers, and developers understand:

  • Dependency Update Patterns: Which packages are being updated most frequently, what types of updates are common (major, minor, patch), and which repositories are keeping their dependencies current
  • Security Advisory Coverage: Which security vulnerabilities are being addressed by Dependabot PRs, tracking the relationship between published advisories (CVEs, GHSAs) and automated dependency updates
  • Ecosystem Health: Adoption patterns of dependency management across different programming language ecosystems

Who is this useful for?

Package Maintainers

  • Track downstream adoption: See which repositories are receiving Dependabot PRs for your packages
  • Monitor update patterns: Understand how quickly the community adopts new versions of your packages
  • Security impact assessment: Identify which security advisories affect your packages and track remediation

Security Researchers

  • Vulnerability landscape: Analyze how security advisories propagate through the open source ecosystem
  • Response time analysis: Study how quickly vulnerabilities are addressed through automated dependency updates
  • Impact assessment: Understand the blast radius of security vulnerabilities across projects

DevOps & Security Teams

  • Dependency intelligence: Research packages before adoption by understanding their update frequency and security history
  • Benchmark practices: Compare your dependency management practices against similar projects
  • Supply chain insights: Track security advisories and their resolution across your technology stack

Key Features

  • Package Search: Find packages and explore their Dependabot activity across repositories
  • Security Advisory Tracking: Browse security advisories and see which Dependabot PRs address them
  • Analytics: View trends in dependency updates, merge rates, and security response times
  • Cross-references: Link between packages, repositories, issues, and security advisories
  • REST API: Programmatic access to all data for integration with your tools
  • RSS Feeds: Subscribe to real-time updates for specific packages, repositories, or global activity

This project is part of Ecosyste.ms, tools and open datasets to support, sustain, and secure critical digital infrastructure.

API

Documentation for the REST API is available here: https://dependabot.ecosyste.ms/docs

The default rate limit for the API is 5000/req per hour based on your IP address, get in contact if you need to to increase your rate limit.

Development

For development and deployment documentation, check out DEVELOPMENT.md

Contribute

Please do! The source code is hosted at GitHub. If you want something, open an issue or a pull request.

If you need want to contribute but don't know where to start, take a look at the issues tagged as "Help Wanted".

You can also help triage dependabot. This can include reproducing bug reports, or asking for vital information such as version numbers or reproduction instructions.

Finally, this is an open source project. If you would like to become a maintainer, we will consider adding you if you contribute frequently to the project. Feel free to ask.

For other updates, follow the project on Twitter: @ecosyste_ms.

Note on Patches/Pull Requests

  • Fork the project.
  • Make your feature addition or bug fix.
  • Add tests for it. This is important so we don't break it in a future version unintentionally.
  • Send a pull request. Bonus points for topic branches.

Vulnerability disclosure

We support and encourage security research on Ecosyste.ms under the terms of our vulnerability disclosure policy.

Code of Conduct

Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.

Copyright

Code is licensed under GNU Affero License © 2023 Andrew Nesbitt.

Data from the API is licensed under CC BY-SA 4.0.

Owner

  • Name: Ecosystems
  • Login: ecosyste-ms
  • Kind: organization
  • Email: hello@ecosyste.ms
  • Location: United Kingdom

Tools and open datasets to support, sustain, and secure critical digital infrastructure

Citation (CITATION.cff) 

cff-version: 1.2.0
title: 'Ecosyste.ms: Dependabot'
message: >-
  If you use this software, please cite it using the
  metadata from this file.
type: software
authors:
  - given-names: Andrew
    family-names: Nesbitt
    email: andrew@ecosyste.ms
    orcid: 'https://orcid.org/0009-0007-2710-1118'
repository-code: 'https://github.com/ecosyste-ms/dependabot'
url: 'https://dependabot.ecosyste.ms'
abstract: >-
  An open index of dependabot pull requests across open source projects.
keywords:
  - open source
  - package management
  - software
license: AGPL-3.0

GitHub Events

Total
  • Issues event: 5
  • Delete event: 19
  • Issue comment event: 18
  • Push event: 56
  • Pull request event: 38
  • Create event: 26
Last Year
  • Issues event: 5
  • Delete event: 19
  • Issue comment event: 18
  • Push event: 56
  • Pull request event: 38
  • Create event: 26

Committers

Last synced: 6 months ago

All Time
  • Total Commits: 131
  • Total Committers: 3
  • Avg Commits per committer: 43.667
  • Development Distribution Score (DDS): 0.015
Past Year
  • Commits: 131
  • Committers: 3
  • Avg Commits per committer: 43.667
  • Development Distribution Score (DDS): 0.015
Top Committers
Name Email Commits
Andrew Nesbitt a****z@g****m 129
github-actions[bot] g****] 1
dependabot[bot] 4****] 1

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 4
  • Total pull requests: 47
  • Average time to close issues: 1 day
  • Average time to close pull requests: 1 day
  • Total issue authors: 1
  • Total pull request authors: 1
  • Average comments per issue: 0.0
  • Average comments per pull request: 0.62
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 47
Past Year
  • Issues: 4
  • Pull requests: 47
  • Average time to close issues: 1 day
  • Average time to close pull requests: 1 day
  • Issue authors: 1
  • Pull request authors: 1
  • Average comments per issue: 0.0
  • Average comments per pull request: 0.62
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 47
View more stats
Top Authors
Issue Authors
  • andrew (4)
Pull Request Authors
  • dependabot[bot] (47)
Top Labels
Issue Labels
enhancement (1) bug (1) good first issue (1) help wanted (1)
Pull Request Labels
dependencies (47) ruby (46) github_actions (1)

Dependencies

.github/workflows/ci.yml actions
  • actions/checkout v4 composite
  • actions/setup-node v4.4.0 composite
  • ruby/setup-ruby v1 composite
  • postgres 14 docker
  • redis * docker
.github/workflows/upgrade-ruby.yml actions
  • actions/checkout v4 composite
  • andrew/ruby-upgrade-action main composite
Dockerfile docker
  • ruby 3.4.4-slim build
docker-compose.yml docker
  • postgres 14.1-alpine
Gemfile rubygems
  • dotenv-rails >= 0 development
  • mocha >= 0 development
  • rails-controller-testing >= 0 development
  • shoulda-context >= 0 development
  • shoulda-matchers >= 0 development
  • web-console >= 0 development
  • webmock >= 0 development
  • addressable >= 0
  • appsignal >= 0
  • bootsnap >= 0
  • bootstrap >= 0
  • bootstrap-icons-helper ~> 2.0
  • chartkick >= 0
  • counter_culture >= 0
  • faraday >= 0
  • faraday-follow_redirects >= 0
  • faraday-multipart >= 0
  • faraday-retry >= 0
  • faraday-typhoeus >= 0
  • gitlab >= 0
  • google-protobuf >= 0
  • groupdate >= 0
  • jbuilder >= 0
  • jquery-rails >= 0
  • octicons_helper >= 0
  • octokit >= 0
  • ostruct >= 0
  • pagy >= 0
  • pg ~> 1.5
  • pg_query >= 0
  • pghero >= 0
  • postgresql_cursor >= 0
  • puma >= 0
  • rack-attack >= 0
  • rack-attack-rate-limit >= 0
  • rack-cors >= 0
  • rails ~> 8.0.0
  • redis >= 0
  • rswag-api >= 0
  • rswag-ui >= 0
  • sassc-rails >= 0
  • sidekiq >= 0
  • sidekiq-status >= 0
  • sidekiq-unique-jobs >= 0
  • sitemap_generator >= 0
  • sprockets-rails >= 0
Gemfile.lock rubygems
  • 141 dependencies