Fossabot: AI Code Review for Dependabot/renovate on Breaking Changes and Impacts

Posted3 months agoActive3 months ago

robszumski

108 points

18 comments

fossa.comTechstory

supportivepositive

Debate

20/100

Artificial IntelligenceCode ReviewDependency Management

Key topics

Artificial Intelligence

Code Review

Dependency Management

Fossabot is an AI-powered code review tool for Dependabot/Renovate that analyzes breaking changes and impacts, sparking discussion on its potential and naming controversy.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

51m

Peak period

1-2h

Avg / period

1.8

Comment distribution18 data points

Loading chart...

Based on 18 loaded comments

Key moments

01Story posted
Oct 1, 2025 at 12:30 PM EDT
3 months ago
Step 01
02First comment
Oct 1, 2025 at 1:21 PM EDT
51m after posting
Step 02
03Peak activity
4 comments in 1-2h
Hottest window of the conversation
Step 03
04Latest activity
Oct 2, 2025 at 2:58 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (18 comments)

Showing 18 comments

johnnyyw

3 months ago

5 replies

Why didn't GitHub come up with this? This seems like such an obvious use case.

zingababba

3 months ago

1 reply

GitHub hasn't done anything interesting with dependabot or code scanning for awhile.

danudey

3 months ago

1 reply

They're spending all of their engineering resources on not doing anything interesting with Copilot instead.

viraptor

3 months ago

And not solving lots of small issues listed on... GitHub. The community project is such an issues graveyard.

SkyPuncher

3 months ago

Because this won't work. Dependency updates are actually incredibly hard.

robszumskiAuthor

3 months ago

It requires you to go deep in both the code analysis and the research, which is expensive at their scale

And, as someone who's start up (EdgeBit was acquired by FOSSA recently) wrote a new JS/TS static analysis engine, it's just hard to get correct.

timrogers

3 months ago

GitHub PM here. We have tried this, but we weren't able to get results that we were satisfied with. Of course, you have to revisit these things regularly, as the models and wider state of the art are evolving so quickly!

chadfurman

3 months ago

It's a niche for AI, which creates some great opportunities for context engineering :)

rohitpaulk

3 months ago

1 reply

Always felt dependency updates are a perfect fit for AI agents:

(a) they’re broadly similar across companies,

(b) they aren’t time-sensitive, so the agent can take hours without anyone noticing, and

XiZhao

3 months ago

One would imagine they are broadly similar; but that's off the assumption that codebases are similar as well.

Migrations between versions can have big variance largely as a function of the parent codebase and not the dependency change. A simple example of this would be a supported node version bump. It's common to lose support for older node runtimes with new dependency versions, but migrating the parent codebase may require large custom efforts like changing module systems.

cchance

3 months ago

1 reply

This seems great, i see you offer it as a service, but also its opensource (FOSS) ... how does the FOSS version differ from the commercial service?

jamietanna

3 months ago

> also its opensource (FOSS)

Where did you see that? I must've missed it in the announcement

ai-christianson

3 months ago

Cool to see this coming out of FOSSA (ex FOSSA here :))

jamietanna

3 months ago

This is very interesting, looking forward to seeing more about it!

(I'm one of the maintainers on Renovate)

jamietanna

3 months ago

gregjw

3 months ago

Did they not Google the name before deciding upon it? Fossabot is a dominant player in online streaming chat moderation.

poetril

3 months ago

Fossabot[0] is also the name of an established Twitch/YouTube chat bot.

0: https://fossabot.com/

stevepike

3 months ago

This is cool, it looks to me like you're integrating static analysis on the user's codebase and the underlying dependency. Very curious to see where it goes.

We've found dependency upgrades to be deceptively complex to evaluate safety for. Often you need context that's difficult or impossible to determine statically in a dynamically typed language. An example I use for Ruby is the kwarg migration from ruby 2.7->3 (https://www.ruby-lang.org/en/news/2019/12/12/separation-of-p...). It's trivial to profile for impacted sites at runtime but basically impossible to do it statically without adopting something like sorbet. Do you have any benchmarks on how reliable your evaluations are on plain JS vs. typescript codebases?

We ended up embracing runtime profiling for deprecation warnings / breaking changes as part of upgrading dependencies for our customers and have found that context to unlock more reliable code transformations. But you're stuck building an SDK for every language you want to support, and it's more friction than installing a github app.

View full discussion on Hacker News

ID: 45439721Type: storyLast synced: 11/20/2025, 12:32:34 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN