Choose your update strategy

If there is one thing we’ve learned so far at Depfu, it’s that every team works differently. Every project – be it open source or in-house – is in a different situation. And the teams working on these projects all have their unique way of working and constraints.

While we love to be be opinionated and have sensible defaults, we also love listening to customers. That's why you can choose how you want to update your dependencies with what we call the "Update Strategy".

Individual Updates

This is the default and recommended strategy.

We continuously check for new versions of all of your dependencies. Whenever a new version gets released, we send you a pull requests that updates the dependency to the just released version. If you have more than 7 pull requests open from Depfu, we instead queue the update and send it to you as soon as you merge or close one of your open PRs.

If a new version get's released for a dependency where you have already an open PR, we close the existing PR and create a new one for you.

If you update dependencies outside of Depfu and push it to your master branch, Depfu will detect that and automatically close all pull requests that are not relevant anymore.

Bundler and indirect dependencies

Since Bundler also updates related indirect dependencies together with the main dependency, often a pull request will update several dependencies: The direct dependency which had a new release and a few indirect dependencies that were also outdated.

By default, indirect dependencies are not updated with separate, individual pull requests, unless it's a security release. We found that for most teams the default Bundler behavior works quite well for keeping indirect dependencies up-to-date. You can however configure Depfu to also send you individual PRs for outdated indirect dependencies or send you a weekly pull requests updating all indirect dependencies together.

Grouped Updates

Grouped Updates basically does a weekly (or longer apart)  bundle update/npm update on your project and sends you a single PR with everything that’s outdated. You can use version constraints to pin or lock certain dependencies, so that the complicated Rails or React update doesn’t get included every week.

You decide at what interval you want this PR: weekly, bi-weekly or every month.

As always, we include everything we know about the update into the PR. Due to size constraints on the pull request body, we’re using a more compact style:

We’ll still send you individual PRs for security related updates as soon as possible, outside of your defined cadence. So you can apply them quicker and easier.

Security Updates Only

With this this option you'll only get pull requests for security related updates.


With this option we still track the dependencies for your project, but won't send you any pull requests at all. The Depfu Dashboard is still updated.

Still need help? Contact Us Contact Us