We've had a lot of folks ask how Pmbot is different from Dependabot, Snyk, Renovate, and other platforms. We wanted to give a brief overview of what makes us special.
Pmbot doesn't open PRs
One of the drawbacks of using platforms that open PRs is that you end up being overwhelmed with PRs awaiting review, and we've seen people turning off automated updates because they were submerged with PRs and didn't have the time to merge them.
Pmbot actions let you control what happens after an update. We provide the
auto-merge action which lets you merge successful updates automatically to your development branch. You can use our Slack plugin to notify your team of unsuccessful updates. In practice, your team never gets bothered. For the very few updates that fail, they get notified.
A major difference also lies in how our
merge-request plugin works. We make updates on a single branch, one by one (unless you've configured grouped updates), and hence we open a single merge request which contains all updates at once. If you don't have time to check that merge request, we'll close it and open a new one on the next update, so there's always a single merge request you have to look at.
Pmbot always keep you up to date
Other platforms are focused on finding and fixing vulnerabilities. We believe that you should always update your dependencies, whether they contain vulnerabilities or not. By doing so, you not only get the latest security patches, but also performance improvements.
In CI we trust
Pmbot works best when you have faith in your tests and in your CI. This is the key to ensuring backwards compatibility and avoid breaking things. If you are concerned about automatically merging successful updates to your development branch, you can use our
merge-request plugin, this will open a single merge request with several updates, instead of multiple merge requests with single updates.
If you have any questions, send us a message on our Discourse !