Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I built Dependabot (https://dependabot.com), a service that checks your dependencies are up-to-date every morning and creates pull requests for you if they're not. Intention was to make dependency management suck less, whilst also adding a bit of runway to a bigger startup I wanted to do.

* Spent 2 months building it - much longer than I'd thought. The work required to get from a prototype (2 days) to a SaaS product (2 months) was way bigger that I'd thought. So much polish, and so many edge cases to consider when the client goes from "you" to "anyone else". Lesson: building something for other people takes a lot longer than building something for yourself.

* Tried to launch on Hacker News but failed to get any attention. Our blog post on "10 years of Rubysec data analysed" never made it off the "newest" page, despite being pretty solid content (spent two days building a Jupyter Notebook so anyone could replicate our results, etc.). Was a big psychological hit at the time. Lesson: there's lots of randomness in launches - don't rely on them to much.

* Thought GitHub Marketplace would list us and help with distribution, but it's been extremely hard to persuade them to. The jury is still out on this one, but they (understandably) want us to have lots of users before they invest in even assessing the app. Lesson: don't rely on the goodwill of third parties - unless you've got something they want/need, you'll be stumped if they decide they're not interested.

I haven't given up yet, and I still really believe in the product, but it's been a much harder journey than expected! Marketing has been by far the toughest part, and I don't have a solution to it yet.



Regarding the blog post: it's simply a numbers game: the odds that one of a hundred articles picks up momentum is way larger then the odds of one blog post picking up momentum. Sometimes it's better to spend the time you'd invest in one great article on ten articles instead. Or write a hundred great articles, and you're very likely to have success.

Regarding the marketing part: if my own start-up learned me anything, it's that great marketing can launch a mediocre product, but if you have mediocre marketing, your product will need to be extremely good to gain any traction.

TL;DR: business requires hard work, and shortcuts usually don't work. Outliers and survivorship bias apply to the posts that claim otherwise.


That's pretty cool, I have been thinking of building something similar, but for Python. How hard is it to add new languages?

What is the tech stack?

Does it cost much to keep it running?


Thanks!

Adding new languages is as easy as the package manager makes it... which is normally still quite hard! The core logic for Dependabot is open-source here, including all the language-specific logic for Ruby, JS and PHP, and a starter (lots of work still required) for Python: https://github.com/gocardless/bump-core.

For the app itself, we used Ruby (because we'd built the original core gem, which was https://github.com/gocardless/bump, in Ruby at a work hackathon years ago).

Costs under £50 a month to keep running at the moment, creating about 2,000 PRs a month. We could really do with getting it into the GitHub marketplace so we can start charging people and cover those costs!


It already exists for Python: https://pyup.io/


As someone in this space, I think you're approach this wrong. You find early users by hand, reaching out to people you know have this problem and asking them to use the product (you would typically do this before even making it work properly as a SaaS product).

Jessica Livingston says it better than me: http://foundersatwork.posthaven.com/why-startups-need-to-foc...


Thanks Paul, big fan of CircleCI.

Great link, and I totally agree with that lesson. Side project feels like a good way to have learnt it!


You might try marketing this to security teams, I know dependencies are a big concern for them.


Thanks for the advice! Security is definitely a big angle here - not only do dependency updates often include patches for known vulnerabilities, they're also the least likely to be affected by future vulnerabilities.

We wrote a blog post about it here: https://dependabot.com/blog/the-latest-dependency-version-is...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: