Frequently Asked Questions

What access am I granting to deppbot when I sign in with GitHub?

Besides obtaining your email, deppbot will also be granted read/write permissions to both your public and private repositories.

However, deppbot will ONLY access a repository after you Subscribe it on your Dashboard.

What can deppbot do with the access that has been granted?

  • Add/Remove deppbot as a collaborator on a user or organization repository
  • Add/Remove webhook on a subscribed repository
  • Clone a repository, create branches and issue Pull Requests to the repository

What is deppbot actually doing with my GitHub repository?

Based on our default daily schedule or your configured schedule, deppbot will do a bundle update for the Gemfile in the repository. Then, deppbot will issue a Bundle Update Pull Request to the repository for the changes made to Gemfile.lock.

If you use bundler v.1.10+, deppbot will preserve your BUNDLED_WITH section in the Gemfile.lock. Read more about Bundler's BUNDLED_WITH on Bundler's blog.

How can deppbot ensure that my application stays free of vulnerabilties?

Besides a Bundle Update Pull Request, deppbot is also able to issue a Security Update Pull Request (feature launched on Christmas 2015). Basically deppbot detects and patches vulnerable ruby gems with secure versions.

For more information on how a Security Update Pull Request works, please refer to our announcement.

Can deppbot auto-delete the branch that it created after I have closed or merged the branch?

GitHub displays a Delete Branch button as soon as you close or merge a Pull Request. We encourage you to use that!

When will deppbot update my repository?

For bundle updates, deppbot runs every day by default but has a configurable frequency of 3 days, 5 days, 1 week or 2 weeks that can be adjusted in Edit Settings for every subscribed repository.

However, supposed the last run didn't yield any updates to Gemfile.lock, then deppbot will run again the following day on your repository, and ignore the configured schedule.

For security updates, deppbot checks for ruby gem vulnerabilities several times a day because your application's security is our priority, and will issue a Pull Request as soon as a vulnerability is found.

There is an exception though: To ensure that the repository would not be spammed daily with deppbot's Pull Request, deppbot will only issue a new (Bundle or Security Update) Pull Request after the most recent Pull Request has been closed or merged.

Can I adjust the frequency of deppbot? I like it weekly.

Yes! You can modify the frequency with the options of 1 day, 3 days, 5 days, 1 week or 2 weeks in Edit Settings for every subscribed repository.

Where are the Pull Requests? I subscribed a few repositories!

  1. You might have subscribed a repository without a Gemfile or Gemfile.lock, i.e. a ruby gem.

    Essentially, in order for bundle update to work, Gemfile AND Gemfile.lock are required. Otherwise, deppbot will not be able to process your repository.

  2. Your project is already up-to-date.

Will my code be stored on your server?

When deppbot processes your repository, it will be cloned to our server.

However, as soon as bundle update is done, the repository WILL BE DELETED IMMEDIATELY from our server.

Who can access the deppbot GitHub account?

Jolly Good Code employees will only access the account for the purpose of providing support.

Why are some ruby gems in the Pull Request message not linked to their source repository?

deppbot depends on API to obtain metadata (including the source URL) for a ruby gem. Therefore deppbot is sometimes unable to link to the source repository for ruby gems with incomplete metadata on

If you are a ruby gem author, you can help by updating your ruby gem's metadata on[GEM-NAME]/edit.

In addition, deppbot is unable to link to ruby gems from at the moment.

Why are some ruby gems in the Pull Request message not linked to their Compare Views?

deppbot is unable to link to a Compare View on GitHub or BitBucket for ruby gems that do not have a version tag or revision SHA1 associated to a release on

Why call it deppbot?

We wanted to call it depbot, but the domain is not available. And, Johnny Depp is cool.