[GH-ISSUE #807] Suggestion / request: Use Dependabot to update dependencies #569

New issue

Closed

opened 2026-02-26 02:33:35 +03:00 by kerem · 5 comments

kerem commented 2026-02-26 02:33:35 +03:00

Owner

Copy link

Originally created by @greysteil on GitHub (Sep 24, 2018).
Original GitHub issue: https://github.com/koel/koel/issues/807

First of all, thanks for koel!

I've got a suggestion / request: would you be up for using Dependabot to automatically create dependency update PRs for this repo? I ran it against my fork and it generated these PRs. I'll port the laravel/framework one across to this repo now.

I built Dependabot and give it away for free to open source projects (partly for the exposure, but mainly because it feels good to give back and because the feedback is incredibly useful). I'm honestly only suggesting it because I hope it can save you some time doing work that is otherwise monotonous.

If you do decide to give Dependabot a go the easiest URL to add it from is https://github.com/apps/dependabot (alternatively you can go through the GitHub Marketplace, but the flow there can be a little confusing for open-source repos on an organisation account).

:octocat:

Originally created by @greysteil on GitHub (Sep 24, 2018). Original GitHub issue: https://github.com/koel/koel/issues/807 First of all, thanks for koel! I've got a suggestion / request: would you be up for using [Dependabot](https://dependabot.com) to automatically create dependency update PRs for this repo? I ran it against my fork and it generated [these PRs](https://github.com/greysteil/koel/pulls). I'll port the `laravel/framework` one across to this repo now. I built Dependabot and give it away for free to open source projects (partly for the exposure, but mainly because it feels good to give back and because the feedback is incredibly useful). I'm honestly only suggesting it because I hope it can save you some time doing work that is otherwise monotonous. If you do decide to give Dependabot a go the easiest URL to add it from is https://github.com/apps/dependabot (alternatively you can go through the [GitHub Marketplace](https://github.com/marketplace/dependabot), but the flow there can be a little confusing for open-source repos on an organisation account). :octocat:

kerem closed this issue 2026-02-26 02:33:35 +03:00

kerem commented 2026-02-26 02:33:35 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Sep 26, 2018):

@greysteil Dependabot looks great! I'll definitely give it a try, thanks!

<!-- gh-comment-id:424732291 --> @phanan commented on GitHub (Sep 26, 2018): @greysteil Dependabot looks great! I'll definitely give it a try, thanks!

kerem commented 2026-02-26 02:33:35 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Sep 26, 2018):

Why does it need WRITE access though?

<!-- gh-comment-id:424732718 --> @phanan commented on GitHub (Sep 26, 2018): Why does it need WRITE access though?

kerem commented 2026-02-26 02:33:35 +03:00

Author

Owner

Copy link

@greysteil commented on GitHub (Sep 26, 2018):

Thanks @phanan!

Ack, the permissions are annoying. Dependabot creates branches on this repo - it doesn't fork it. That's the right behaviour for private repos, but ideally it would use a forking flow for public ones (although there are some advantages to not, too - it means CI runs using your setup, for example). Sadly, GitHub doesn't offer the ability for me to ask for different permission types for different kinds of repos, so the write permission is required for all repos :-(

I am trying to work with GitHub to get that fixed - the thread to chime in on suggesting you'd like this is here. In the meantime, if your master branch is protected then Dependabot will never be able to push to it, and we specify in our terms of service that we won't push to branches that aren't namespaced under dependabot.

<!-- gh-comment-id:424756608 --> @greysteil commented on GitHub (Sep 26, 2018): Thanks @phanan! Ack, the permissions are annoying. Dependabot creates branches on *this* repo - it doesn't fork it. That's the right behaviour for private repos, but ideally it would use a forking flow for public ones (although there are some advantages to not, too - it means CI runs using your setup, for example). Sadly, GitHub doesn't offer the ability for me to ask for different permission types for different kinds of repos, so the write permission is required for all repos :-( I am trying to work with GitHub to get that fixed - the thread to chime in on suggesting you'd like this is [here](https://platform.github.community/t/feature-request-optional-permissions/5422). In the meantime, if your master branch is protected then Dependabot will never be able to push to it, and we specify in our terms of service that we won't push to branches that aren't namespaced under `dependabot`.

kerem commented 2026-02-26 02:33:35 +03:00

Author

Owner

Copy link

@phanan commented on GitHub (Sep 26, 2018):

👍 Thanks for the explanation. It shouldn't be a deal-breaker – after all, it's all OSS! I'm giving Dependabot a try right now. Thanks again!

<!-- gh-comment-id:424764199 --> @phanan commented on GitHub (Sep 26, 2018): 👍 Thanks for the explanation. It shouldn't be a deal-breaker – after all, it's all OSS! I'm giving Dependabot a try right now. Thanks again!

kerem commented 2026-02-26 02:33:35 +03:00

Author

Owner

Copy link

@greysteil commented on GitHub (Sep 26, 2018):

Awesome - I'm watching from my side to make sure those first PRs are all as good as they should be 🙂

<!-- gh-comment-id:424768355 --> @greysteil commented on GitHub (Sep 26, 2018): Awesome - I'm watching from my side to make sure those first PRs are all as good as they should be 🙂

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

release

dependabot/composer/phpunit/phpunit-12.5.22

dependabot/npm_and_yarn/dompurify-3.4.0

dependabot/npm_and_yarn/vite-plus-0.1.17

dependabot/composer/phpseclib/phpseclib-3.0.51

1889-duplicate-upload-detection

test/home-screen-empty-to-content

fix/exclude-songless-albums-from-recently-added

refactor/laravel-prompts

fix/wma-cover-art-exception

fix/remove-redundant-seed-step

chore/upgrade-laravel-13

chore/upgrade-vue-3.5.29

test/phase-7-components

dbg-2142

demo-fix

debug-mysql

trusthosts

seek

fix-equalizer

sentry

invite-user

remove-v6-obsolete

fix/song-list

feat/paths-filter

fix/home

fix/footer

feat/progressive

php81

dev/public-playlists

cy

feat/l7

dependabot/composer/pusher/pusher-php-server-4.1.4

dependabot/composer/laravel/framework-5.8.38

dependabot/composer/jackiedo/dotenv-editor-1.1.1

renovate/pin-dependencies

actions

api-doc

feat/recently-played

fix-tests

fix-cover-page

upload

stylejs-196

compilation

vuex

android-notif

nojquery

demo

vue2

2.0

1.1

v9.1.2

latest

v9.1.1

v9.1.0

v9.0.0

v8.3.1

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.15.1

v7.15.0

v7.14.0

v7.13.0

v7.12.0

v7.11.0

v7.10.4

v7.10.3

v7.10.2

v7.10.1

v7.10.0

v7.9.0

v7.8.1

v7.8.0

v7.7.1

v7.7.0

v7.6.3

v7.6.2

v7.6.1

v7.6.0

v7.5.2

v7.5.1

v7.5.0

v7.4.2

v7.4.1

v7.4.0

v7.3.1

v7.3.0

v7.2.2

v7.2.1

v7.2.0

v7.1.0

v7.0.12

v7.0.11

v7.0.10

v7.0.9

v7.0.8

v7.0.7

v7.0.6

v7.0.5

v7.0.4

v7.0.3

v7.0.2

v7.0.1

v7.0.0

v6.12.1

v6.12.0

v6.11.5

v6.11.4

v6.11.3

v6.11.2

v6.11.1

v6.11.0

v6.10.0

v6.9.0

v6.8.5

v6.8.4

v6.8.3

v6.8.2

v6.8.1

v6.8.0

v6.7.5

v6.7.4

v6.7.3

v6.7.2

v6.7.1

v6.7.0

v6.6.0

v6.5.3

v6.5.2

v6.5.1

v6.5.0

v6.4.3

v6.4.2

v6.4.1

v6.4.0

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.0

v6.0.6

v6.0.5

v6.0.4

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v0.0.0-beta

v5.1.14

v5.1.13

v5.1.12

v5.1.11

v5.1.10

v5.1.9

v5.1.8

v5.1.7

v5.1.6

v5.1.5

v5.1.4

v5.1.3

v5.1.2

v5.1.1

v5.1.0

v5.0.2

v5.0.1

v5.0.0

v4.4.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.1

v4.1.0

v4.0.0

v3.7.2

v3.7.1

v3.7.0

v3.6.2

v3.6.1

v3.6.0

v3.5.5

v3.5.4

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.1

v3.4.0

v3.3.1

v3.3.0

v3.2.0

v3.1.1

v3.1.0

v3.0.1

v3.0.0

v2.2.1

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.1.2

v1.1.1

1.0.0-beta

Labels

Clear labels   

Authentication

  

Dependencies

  

Documentation

  

Feature Request

  

Flac

  

Help Wanted

  

Installation/Setup

  

Integration

  

Mobile

  

PR Welcome

  

Pending Release

  

Performance

  

Playlist

  

S3

  

Search

  

Sync

  

[Pri] Low

  

[Pri] Normal

  

[Status] Keep Open

  

[Status] Needs Author Reply

  

[Status] Needs Review

  

[Status] Stale

  

[Status] Will Implement

  

[Type] Blessed

  

[Type] Bug

  

[Type] Duplicate

  

[Type] Enhancement

  

[Type] Help Request

  

[Type] Question

  

[Type] Task

  

pull-request

Mirrored from GitHub Pull Request

No labels

Authentication

Dependencies

Documentation

Feature Request

Flac

Help Wanted

Installation/Setup

Integration

Mobile

PR Welcome

Pending Release

Performance

Playlist

S3

Search

Sync

[Pri] Low

[Pri] Normal

[Status] Keep Open

[Status] Needs Author Reply

[Status] Needs Review

[Status] Stale

[Status] Will Implement

[Type] Blessed

[Type] Bug

[Type] Duplicate

[Type] Enhancement

[Type] Help Request

[Type] Question

[Type] Task

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/koel-koel#569

No description provided.