If you had to submit the PR yourself, you’d have to remember to do it in the first place (and take the time to do it). Bumping a bunch of patch version numbers has never been the hard part and isn’t really what these tools solve. Their purpose is to reduce the effort involved to an absolute minimum so there are no excuses to fall behind on updates. Some of these tools, like Renovate, even have the ability to automatically merge the PR if the tests pass, meaning there’s zero human involvement.

If you had to submit the PR yourself, then these tools would be no different than an automated Jira ticket that’s created once per sprint.

(The actual hard part of all this is having good, meaningful, automated tests, but that can’t be solved by a bot.)

> If you had to submit the PR yourself, you’d have to remember to do it in the first place (and take the time to do it). Bumping a bunch of patch version numbers has never been the hard part and isn’t really what these tools solve. Their purpose is to reduce the effort involved to an absolute minimum so there are no excuses to fall behind on updates. Some of these tools, like Renovate, even have the ability to automatically merge the PR if the tests pass, meaning there’s zero human involvement.

I’ve seen a fair number of open “dependabot” PRs just lying around.

Renovate isn't special with how it authenticates - you can run it as your own user ie https://github.com/jamietanna/oapi-codegen/pull/12 and Renovate runs against GitLab, Bitbucket and I believe other platforms too

>> Why not a tool that bumps dependencies and let’s you propose yourself?

SO it opens an issue and gives you a patch file... Or emails it to you?

> Why does it seem to these tools have converged on the bot-makes-PR implementation?

Because git and the PR is the common choke point that every one knows and loves. A lot of dev's look down on "patches"... there are tons of people who happily use linux who think that all kernel devs are stupid cause of bugzila/patches and email could not possibly work.

Patch files? Normal tools change files. If I `sed -i` in my project I just change the files in my project. Then I (separately) can add and commit them. Same for (for example) linting tools. This bot-PR workflow is outside of that normal.

A PR is easy to automate, hook into, an preserves ownership of the commit.

Yes it bypasses YOUR workflow, but a PR works for everyone who uses GitHub.

If you want something else that works for everyone who uses GitHub it's an issue, or an email with a patch file. Why a patch file. DO you want to own the change the bot suggested? There are a lot of orgs where the ownership matters more than the linting.

You could just make the change yourself, sure, and then run it through your normal workflow... then your the author and commuter of the change...

I stepped into the wrong workflow synagogue it seems.

You mean on some individual person's laptop when that person remembers to run it?

Like most things.

But the whole point is not to have to do that. What you're asking for is basically just `npm upgrade` or `cargo upgrade` or whatever? The point of Renovate, Dependabot etc. is exactly the automated/scheduled running of those package manager updates.

Sigh. The answer to why they are this way is that it’s the whole point that they are this way.

Well yes? You're complaining that a motorbike has an engine when you're perfectly capable of and would rather power it with your own two legs.

What a great comparison.

Renovate lets you run it locally as a oneshot Docker container (similar to a binary) with a personal access token, creating the PRs under your name.

Here's an example (made this repo to test a Renovate issue against): https://github.com/sunshowers/renovate-test-2