// the find
dependabot/dependabot-core
🤖 Dependabot's core logic for creating update PRs.
This is the Ruby library that powers GitHub's Dependabot service — the actual logic for parsing dependency files, resolving latest versions, and generating PR diffs across 15+ ecosystems. If you want to self-host dependency update automation or build tooling on top of Dependabot's resolution logic, this is the code you'd pull in.
The ecosystem abstraction is genuinely well-designed: each package manager implements the same FileFetcher/FileParser/UpdateChecker/FileUpdater interface, so you can drop in a new ecosystem without touching shared code. The credential proxy architecture — where private registry creds are never passed to the core library — is a smart security boundary that protects against compromised manifests executing arbitrary code. The dry-run script and CLI tooling make local debugging actually feasible, including per-ecosystem Docker images with the native package managers pre-installed. It handles the hard cases: lockfile regeneration, resolvability constraints, and changelogs in PR descriptions.
The Docker-based dev environment is mandatory and heavy — you're pulling multi-GB images just to test a single ecosystem, and ARM users get 2-3x slower containers with no pre-built images. The library assumes a throw-away sandbox environment (it mutates the filesystem, forks native package managers, etc.), so embedding it in a long-running process requires significant plumbing you have to build yourself. Self-hosting is under-documented: the CLI creates diffs but not PRs, and wiring that last mile is left as an exercise. Being GitHub-internal tooling made public, the public issue tracker and contribution flow clearly aren't the primary driver — expect slower PR turnaround on anything that doesn't affect GitHub's own service.