January 7, 2026
Bot wars: who updates the updaters?
How Dependabot Actually Works
Not a genius robot—crowd says Renovate rules while GitHub keeps the secret sauce
TLDR: A deep dive shows Dependabot’s core is open but memoryless, while GitHub’s scheduling magic stays closed. Commenters say that’s why many switch to Renovate, praising flexibility and warning about lock-in—a big deal for teams picking tools to automate updates without losing control.
Developers just learned the “bot” in GitHub’s Dependabot isn’t really a brainy robot—it’s a stateless Ruby toolkit called dependabot-core that forgets everything between runs, while GitHub’s closed services handle the scheduling and memory. Yes, the core was re-licensed under the permissive MIT license in May 2024, but the orchestration that makes it feel like magic? Still locked up. The deep dive also exposed a wild toolbox under the hood: multiple Python versions stuffed into a container, a forked Yarn, and naming oddities that don’t match the new PURL standard. Translation: self-hosting means rebuilding the puppet strings yourself.
And the comments? Oh, they came in hot. One loud camp cheered the openness win, but a bigger, sassier crowd shouted: just use Renovate. User esafak called Dependabot’s free tier a “hook,” praising Renovate’s flexible rules and regex magic. Self-hosters rolled their eyes at the “open core, closed service” combo, warning of lock-in and mapping headaches. Meanwhile, defenders said GitHub’s secret sauce is what keeps the trains running on time. The memes were merciless: people joked it’s a goldfish with a GitHub badge—no memory!—and a “bot in a trench coat” pretending to be a service. Verdict from the peanut gallery: cool library, but the real power lives behind the curtain, and Renovate stans are doing victory laps.
Key Points
- •dependabot-core is a stateless Ruby library providing update logic; GitHub’s scheduling, state tracking, and coordination remain proprietary.
- •GitHub relicensed dependabot-core to MIT in May 2024, replacing the Prosperity Public License.
- •The library supports 25+ ecosystems via four core classes: FileFetcher, FileParser, UpdateChecker, and FileUpdater, with complexity varying by ecosystem.
- •dependabot-core shells out to native package managers and bundles tooling (multiple Python versions, Rust), with various patches for npm, Yarn, Bundler, and pacote.
- •Testing includes a networkless “silent” ecosystem using txtar; NuGet support uses NuGet.Client and .NET Core submodules.