-1

I am writing a paper on dependabot PRs and its interaction with developers. To this extent I have found some examples of dependabot PRs to analyse. The most information dependabot can provide you with is "Changelog", "Release notes" and "Commits" sections, plus the compatibility heuristic. But in some cases one or more of these are missing (e.g. this PR where none of it is presented). Why is it so? What defines which of these sections are present in the PR?

Also, in the example given above, why is the compatibility heuristic tagged as unknown even if the tests that were ran have clear results?

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Spiridon
  • 23
  • 5

1 Answers1

2

I'm the PM for Dependabot at GitHub. The answer to your question comes down to "our support for different ecosystems is different." Each ecosystem has a different way that they publish the changelog/commits information for each version bump, and some are more programmatic than others, which can make it easier or harder for us to pull the info needed to populate those fields.

If you have any further questions about Dependabot as you are working on your paper, please feel free to email me at carogalvin(at)github.com and I'd be happy to help.

carogalvin
  • 36
  • 2
  • Ah, okay! Thank you very much for the information. I am writing my bachelor's thesis on dependabot, is there somewhere I can find more such information? If not, may I email you some questions? – Spiridon May 12 '23 at 17:38
  • Yes, you can find more information in the Dependabot docs: https://docs.github.com/en/enterprise-cloud@latest/code-security/dependabot You can also email me at carogalvin(at)github.com – carogalvin May 15 '23 at 14:01