dependabit

Dependabit

AI-Powered Dependency Tracking for External Resources

Dependabit automatically discovers, tracks, and monitors external dependencies referenced in your codebase using LLM-powered analysis. Unlike traditional dependency managers that only track package manifests, Dependabit finds informational dependencies like GitHub repos, documentation sites, API references, research papers, and more.

⚠️ Pre-1.0 software — APIs are subject to change between minor versions. Pin to exact versions in production. See the CHANGELOG for breaking changes between releases.

📚 Documentation: https://pradeepmouli.github.io/dependabit/

Features

🎯 AI-Powered Detection

• LLM Analysis: Uses GitHub Copilot (or other LLMs) to intelligently detect external dependencies
• Multi-Source Parsing: Extracts references from README files, code comments, and package manifests
• Smart Classification: Automatically categorizes dependencies (documentation, research papers, schemas, APIs, etc.)
• Confidence Scoring: Provides confidence levels for each detected dependency

🔄 Automatic Updates

• Push-Triggered Updates: Automatically updates manifest when code changes are pushed
• Selective Re-Analysis: Only analyzes changed files for efficiency
• Merge Strategies: Preserves manual edits while incorporating new discoveries
• Change Logging: Comprehensive logging of additions and removals

📊 Change Monitoring

• Periodic Checks: Scheduled monitoring of external dependencies
• Issue Creation: Automatically creates GitHub issues for dependency changes
• Severity Classification: Breaking, major, or minor change detection
• Rate Limiting: Smart GitHub API usage with budget reservation

⚙️ Flexible Configuration

• Dependabot-Style Config: Familiar YAML configuration format
• Per-Dependency Rules: Customize monitoring frequency and behavior
• Multiple Auth Methods: Token, OAuth, and basic authentication support
• AI Agent Assignment: Automatically assign issues to AI agents based on severity

GitHub Marketplace Publishing

To publish the action to the GitHub Marketplace:

1. Run the Bundle Action workflow (or build locally) so packages/action/action-dist is committed.
2. Create a GitHub Release tag (for example, v0.1.12).
3. In the Release UI, select Publish this Action to the GitHub Marketplace.

The action metadata in action.yml points to the bundled file, so Marketplace users get a self-contained action.

Quick Start

Prerequisites

• Node.js >= 20.0.0
• pnpm >= 10.0.0
• GitHub repository with Actions enabled
• GitHub Copilot access (or alternative LLM provider)

For Development

Add Dependabit to your repository by creating workflow files:

1. Generate Initial Manifest

Create .github/workflows/dependabit-generate.yml:

name: Generate Dependency Manifest

on:
  workflow_dispatch:  # Manual trigger for initial setup

permissions:
  contents: write
  issues: write
  pull-requests: write

jobs:
  generate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Setup GitHub CLI (required for Copilot CLI)
        run: |
          # GitHub CLI is pre-installed on GitHub Actions runners
          # Verify it's available and authenticated
          gh --version
          gh auth status

      - name: Install dependencies and build action
        run: |
          corepack enable
          pnpm install
          pnpm build

      - name: Generate manifest
        id: generate
        uses: ./packages/action  # Use local action after building
        with:
          action: generate
          repo_path: .
          manifest_path: .dependabit/manifest.json
          llm_provider: github-copilot
          llm_api_key: ${{ secrets.GITHUB_TOKEN }}