The existing tools for automating dependency upgrades all focus on opening pull requests to address CVEs. But that's not enough. APIs change, minimum runtime versions increase, behavior shifts in subtle ways.
We built Dependicus to help you navigate this environment at scale. Rather than opening PRs, it presents you with information in the form of dashboards and issue tracker tickets. You can use that rich context to plan major upgrades, or fire off coding agents to deal with minor API changes. It supports multiple ecosystems today, and it’s designed to grow.
Dependicus helps you see the big picture
In the JavaScript world, you've got limited options for getting a broad view of your dependencies. At Descript we use pnpm, which is the best of the JS package managers, but getting an overview of 200 packages to find duplicate dependencies and general issues is tedious. pnpm is not optimized for fast querying of this kind of information, even if the information is available. Dependicus scrapes everything it can in one go, then presents it to you as a spreadsheet. It’s a static site you can deploy however you want. You run it in CI, and it’s always up to date, no waiting.
If you click on a dependency, it’ll take you to a detail page showing you every individual version between the one you have installed and the latest. Versions are pulled from the package manager (in this case npmjs.org), and Dependicus uses heuristics to locate changelogs, tags, and releases, showing them when possible.
This same view is available for Python, Go, Rust, and Mise dependencies, with level of detail depending on what each package manager provides, and what tags and releases the project has.
Dependicus helps you plan with tickets, not PRs
When dependency updates come with API changes, you can’t rely on mechanical process to do updates. These updates become tasks competing with other tasks for priority. In the old PR-based style of Dependabot and Renovate, it’s on you to manually create these tickets, or build automations that sync PRs to tickets. The existing systems have “security alerts,” but in a world of sliding window compatibility with browsers, Node.js versions, and OS versions, security alerts are, again, the least-impactful-on-your-time reason to update. Dependicus inverts the flow of information. It doesn’t create pull requests. Instead, it creates Linear issues or GitHub issues. (No JIRA or Asana support yet—patches are welcome.)
It's up to you how the tickets are created, and what you do with them. At Descript, we often assign update tickets directly to coding agents, who can do the mechanical changes as well as anything else that can be verified with typechecking and tests. Agents sometimes “notice” that a cluster of dependencies need to be updated together, such as @opentelemetry/ packages, and saves us the trouble of trying to wrangle five PRs at a time. Other times, we’ll put the ticket in a sprint, or track it for a longer-term plan. Dependicus will comment (rate limited) as new versions are released, so there’s a single source of truth until we get around to doing the update. And we can add our own comments, so that if we do end up assigning the ticket to a coding agent, it has better information and is more likely to do the right thing.
It’s easy to start
Dependicus can be run with minimal configuration.
# speeds up fetching of changelogs and tags
export GITHUB_TOKEN=<a GitHub token>
pnpm dlx dependicus@latest update --html
bunx dependicus@latest update --html
yarn dlx dependicus@latest update --html
npx dependicus@latest update --html
open ./dependicus-out/index.htmlYou can find more detailed CI examples here: https://descriptinc.github.io/dependicus/ci/
If you run into trouble, please start a discussion.
May your build always be green.
