{"id":28291103,"url":"https://github.com/hasundue/denopendabot","last_synced_at":"2025-10-08T23:05:24.220Z","repository":{"id":47956218,"uuid":"515131701","full_name":"hasundue/denopendabot","owner":"hasundue","description":"Dependabot for Deno projects (deprecated)","archived":false,"fork":false,"pushed_at":"2024-06-17T06:54:40.000Z","size":743,"stargazers_count":38,"open_issues_count":2,"forks_count":6,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-09-30T17:02:37.054Z","etag":null,"topics":["deno","dependencies","devops","github-actions","github-app"],"latest_commit_sha":null,"homepage":"https://deno.land/x/denopendabot","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hasundue.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"hasundue","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2022-07-18T10:11:50.000Z","updated_at":"2025-08-27T13:20:21.000Z","dependencies_parsed_at":"2023-02-11T22:30:17.755Z","dependency_job_id":"c35e4261-8257-46b4-a1ae-ff0327c3883d","html_url":"https://github.com/hasundue/denopendabot","commit_stats":{"total_commits":568,"total_committers":9,"mean_commits":"63.111111111111114","dds":"0.43838028169014087","last_synced_commit":"c9069986358b58949c8b17e36dcea69878d90b15"},"previous_names":[],"tags_count":60,"template":false,"template_full_name":"hasundue/template-deno","purl":"pkg:github/hasundue/denopendabot","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasundue%2Fdenopendabot","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasundue%2Fdenopendabot/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasundue%2Fdenopendabot/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasundue%2Fdenopendabot/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hasundue","download_url":"https://codeload.github.com/hasundue/denopendabot/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hasundue%2Fdenopendabot/sbom","scorecard":{"id":457429,"data":{"date":"2025-08-11","repo":{"name":"github.com/hasundue/denopendabot","commit":"c9b3b35808f80ada38ffed2523ac1f8ee6da982b"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.8,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/7 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/deploy.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/deploy.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/deploy.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/deploy.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration.yml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration.yml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/integration.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/stage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stage.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/stage.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/stage.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/stage.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/stage.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/update.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/hasundue/denopendabot/update.yml/main?enable=pin","Info:   0 out of   8 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  11 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/deploy.yml:17","Warn: no topLevel permission defined: .github/workflows/cd.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/ci.yml:13","Warn: no topLevel permission defined: .github/workflows/deploy.yml:1","Warn: no topLevel permission defined: .github/workflows/integration.yml:1","Warn: no topLevel permission defined: .github/workflows/release.yml:1","Warn: no topLevel permission defined: .github/workflows/stage.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Warn: no topLevel permission defined: .github/workflows/update.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 23 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-19T10:05:13.478Z","repository_id":47956218,"created_at":"2025-08-19T10:05:13.478Z","updated_at":"2025-08-19T10:05:13.478Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278838467,"owners_count":26054721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deno","dependencies","devops","github-actions","github-app"],"created_at":"2025-05-22T03:13:23.893Z","updated_at":"2025-10-08T23:05:24.213Z","avatar_url":"https://github.com/hasundue.png","language":"TypeScript","funding_links":["https://github.com/sponsors/hasundue"],"categories":[],"sub_categories":[],"readme":"\u003e [!Warning]\\\n\u003e Denopendabot is deprecated in favor of\n\u003e [renovate](https://github.com/renovatebot/renovate) or\n\u003e [molt](https://github.com/hasundue/molt). Thanks for kind support and\n\u003e contribution!\n\n# denopendabot\n\n\u003c!-- deno-fmt-ignore-start --\u003e\n\n[![CI](https://github.com/hasundue/denopendabot/actions/workflows/ci.yml/badge.svg?event=push)](https://github.com/hasundue/denopendabot/actions/workflows/ci.yml)\n[![codecov](https://codecov.io/gh/hasundue/denopendabot/branch/main/graph/badge.svg)](https://codecov.io/gh/hasundue/denopendabot)\n![denoland/deno](https://img.shields.io/badge/Deno-v1.38.5-informational?logo=deno) \u003c!-- @denopendabot denoland/deno --\u003e\n\n\u003c!-- deno-fmt-ignore-end --\u003e\n\n**Denopendabot** is a GitHub App, GitHub Action, and Deno module to keep the\ndependencies of your Deno projects up-to-date.\n\nObviously inspired by [Dependabot](https://github.com/features/security/), and\nmaking up for their missing support for Deno. Written in Deno, and running on\nDeno Deploy.\n\n## :magic_wand: Features\n\n### Update Deno modules\n\n\u003c!-- @denopendabot ignore-start --\u003e\n\n```typescript\nimport $ from \"https://deno.land/x/dax@0.14.0/mod.ts\";\n```\n\n```diff\n- import $ from \"https://deno.land/x/dax@0.14.0/mod.ts\";\n+ import $ from \"https://deno.land/x/dax@0.15.0/mod.ts\";\n```\n\nDenopendabot takes advantage of the core engine of\n[udd](https://github.com/hayd/deno-udd), one of the most widely used module\nupdate libraries for Deno, which supports\n[many registry domains](https://github.com/hayd/deno-udd#supported-domains).\n\n### Update GitHub repositories\n\n```yaml\n- uses: denoland/setup-deno@v1\n  with:\n    deno-version: v1.26.0 # @denopendabot denoland/deno\n```\n\n```diff\n-   deno-version: v1.26.0 # @denopendabot denoland/deno\n+   deno-version: v1.26.1 # @denopendabot denoland/deno\n```\n\n\u003c!-- @denopendabot ignore-end --\u003e\n\nDenopendabot can also update release versions of GitHub repositories, specified\nby comments of `@denopendabot {owner}/{repo}`.\n\n### Create pull requests\n\n- Commits are created for each updated module/repository individually\n- Each run of Denopendabot creates only one pull request\n\nSee\n[example pull requests](https://github.com/hasundue/denopendabot/pulls?q=is%3Apr+is%3Amerged+label%3Atest).\n\n## :rocket: Getting started\n\n### GitHub App\n\nThe easiest way to use Denopendabot is to install the\n[GitHub App](https://github.com/apps/denopendabot). After installation,\nDenopendabot will send a pull request to create\n[`denopendabot.yml`](./app/denopendabot.yml) in `.github/workflows` if it finds\nyour repository to be a Deno project. Merge it to get ready, or create the file\nby yourself.\n\n\u003e **Warning**\\\n\u003e Denopendabot requires write access to your workflows, which technically\n\u003e enables the bot to perform script injection on your repository. Install the\n\u003e app only if you are sure that it is reliable.\n\n### GitHub Action\n\nIf you don't want to send repository contents to the app, you can use our\n[GitHub Action](https://github.com/marketplace/actions/denopendabot) to run\nDenopendabot locally inside the GitHub Actions environment.\n\nThe action needs a GitHub access token authorized to run workflows.\n`secrets.GITHUB_TOKEN` is used by default and it works fine in most cases.\n\nIf you want to update workflow files (`.github/workflows/*.yml`), it also needs\na private access token with the `workflow` scope. In the examples below, we\nassume the token is added in repository secrets as `GH_TOKEN`.\n\n```yaml\nname: Denopendabot\non:\n  workflow_dispatch:\n  schedule:\n    - cron: \"0 0 * * *\" # modify to your convenient time\njobs:\n  update:\n    name: Update\n    runs-on: ubuntu-latest\n    steps:\n      - uses: hasundue/denopendabot@0.18.2 # @denopendabot hasundue/denopendabot\n        with:\n          user-token: ${{ secrets.GH_TOKEN }} # needed for updating workflows\n```\n\nSee [action.yml](./action.yml) for other options.\n\n## :handshake: Contributing\n\nStar the repository, and use Denopendabot for your project! Feel free to make an\nissue when you find any problem.\n\nPull requests for bug-fix, testing, or documentation are always welcome.\n\nIf you want to create a pull request for feature addition or refactoring, it is\nrecommended to make an issue first, since we don't necessarily like the changes.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasundue%2Fdenopendabot","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhasundue%2Fdenopendabot","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhasundue%2Fdenopendabot/lists"}