GitHub's Dependabot simplifies dependency management by automating updates through pull requests. The core of Dependabot, known as dependabot-core, is an open-source Ruby library under the MIT license, recently transitioned from a more restrictive license. While dependabot-core handles the logic for updates—like parsing manifests and generating changes—much of the scheduling and state management remains proprietary to GitHub. Users looking to self-host need to recreate these components. The codebase is extensive, consisting of 330,000 lines of Ruby that support over 25 package ecosystems. The naming conventions can be confusing, as they don't align with standard package manager terms. For example, "bundler" instead of "rubygems" and "npm_and_yarn" combines two ecosystems. Each package ecosystem follows a similar structure, implementing classes for fetching files, parsing dependencies, checking for updates, and generating file changes, but the complexity varies significantly across ecosystems. Dependabot operates statelessly, meaning it starts afresh with each job and relies on external context provided in job definitions. The lack of internal state tracking means it cannot recall previous pull requests or security advisories unless provided by GitHub’s infrastructure. This design creates challenges for users trying to extract meaningful data from pull requests, necessitating complex regex parsing to identify updated packages. In contrast, GitLab's dependabot-gitlab offers an open solution that tracks state and manages scheduling, demonstrating how these functionalities could be implemented outside of GitHub’s proprietary framework.