Hi! I'm Grey, and along with my co-founder Harry I created Dependabot. It's a service that automatically creates pull requests to painlessly keep your dependencies up-to-date.
I took a slightly circuitous route to becoming a software engineer: I was a strategy consultant for a couple of years before teaching myself to code. After that a stint at a startup (GoCardless) gave me some product experience, and I started Dependabot after setting out to do my own thing.
Two months after launch, Dependabot makes $740/month and sees around 5,000 pull requests merged.
Dependabot was never really meant to be a business — it started out as a side project to keep me sane whilst I tried to do a "proper" startup in healthcare.
Back when I was working at GoCardless one of my jobs was keeping our Ruby dependencies up-to-date. Each morning I'd log into our "Gemnasium dashboard", check what needed updating, and create a bunch of PRs. This soon became tedious and I wondered if I could automate it, so along with a few friends I built Bump at a work hackathon.
Bump had a lot wrong with it but hung together well enough to be useful for the next 18 months. That gave me confidence that it would stand on its own two feet, but I was too engrossed in GoCardless work to try to spin it out.
I left GoCardless to do my own thing a year ago and was full of ambition. I cycled around the world and got back wanting to change it by starting something in healthcare. Two months of endless coffee chats and discouragement later, however, and I was ground down.
Building Dependabot became my part-time antidote as it was the exact opposite: a product where I already knew exactly what to build in an industry I understood back-to-front.
Living off our savings, Harry and I gave ourselves two weeks to build the first version of Dependabot. We got GoCardless to give us the IP from Bump (we were, and still are, on really good terms with them), applied a lot of polish, and built a frontend and API for it from scratch.
We missed our deadline, but after four weeks we had something we were happy asking friends to try. We're both developers, so sourcing a few early adopters wasn't too tricky.
From a tech perspective, Dependabot is split into a front end, an API back end, and a dependency updater. The back end is Ruby on Rails, the updater is pure Ruby, and the front end is a React app. We also have some Python and PHP code for bumping Python and PHP dependencies.
Everything is hosted on Heroku, and the most interesting bits are open source.
As soon as our friends tried Dependabot they loved the idea, but started telling us about a lot of things that were wrong with it. When added to an old codebase Dependabot would "helpfully" immediately create 30+ pull requests for you, for example. Merge one and the rest would have conflicts, which Dependabot did nothing to help you with. Want to ignore an update? If you closed the PR we'd just create another one for you the following morning 🤦♂️.
We learned a lot from our early users. There was probably about a month of polishing, with me and Harry both full time on it, to get the service to a point where we thought it was worth paying for.
There's definitely a lesson in the amount of work that was required to get Dependabot ready for others to use. Under the hood it's a really complicated product — dependency resolution is hard — but it needs to be simple and easy to use since it's not a space anyone wants to spend time and effort on. It's also one of those horrible products that is brilliant when it works perfectly and worse than useless when it falls even a little bit short!
Nowadays, being in the GitHub Marketplace is Dependabot's biggest source of customers, but it didn't start that way.
We started building Dependabot just as GitHub were previewing GitHub Marketplace, so we naturally tried to be a launch partner and piggyback off their marketing. We agonised over emails to them and fretted over the lack of replies, but it didn't stop them launching without us. Worse, they told us we'd need 250+ users to ever be listed. We had 22.
In hindsight, it was completely foolish of us to have pursued a partnership with them before we had anything to offer. GitHub had absolutely no reason to take a gamble on us just because we needed them, and they were completely right not to.
Undeterred, we attempted some marketing. We spent two days crafting the perfect blog post for Hacker News. The result? Two points on Hacker News and something similar on Reddit. One signup. Neither Harry nor I were well-known enough to get much attention in the developer community, and without a network marketing was pretty much pot luck for us (or worse, a game we were just no good at).
At this point we had what we thought was a brilliant product and were literally struggling to give it away for free. Finally, we tried some sales. Every day I'd run a search on GitHub for PRs with the word "update" in the title. If Dependabot could have created the PR then I'd comment on it asking if they wanted to give Dependabot a try.
I didn't find many relevant PRs each day, but my conversion rate on the ones I did find was amazing — 50% of the people I contacted signed up! With an hour of PR trawling each day I could get us 2-3 signups, and we slowly climbed towards the magic 250.
By the way, I'd like to say just how much more valuable the time I spent on sales was, as opposed to marketing. It's the best advice I can give anyone trying to get a SaaS product off the ground, even if your customers are tiny and you're giving your product away for free.
When you do sales, you get feedback. You get better each time, and so does your product. You get a small cohort of users who love you, and you get consistent, measurable progress. Compare that to the uncertain inputs and outputs from marketing or partnership hunting and it seems obvious what Dependabot should have been doing to get started all along.
Two months ago we finally got into the GitHub Marketplace, which has transformed Dependabot's distribution. Our signup rate is literally 10x what it was before.
Month | Accounts |
May | 6 |
Jun | 95 |
Jul | 118 |
Aug | 141 |
Sep | 230 |
Oct | 283 |
Nov | 584 |
Dec | 919 |
We charge organizations a monthly fee to have Dependabot run on their private repos. The amounts are pretty small ($15 for five repos, $50 for unlimited), but our customers are really sticky.
We've kept personal and open-source accounts free, and we'll always continue doing this since those users are great advertisements for us and unlikely to use the service if asked to pay. Our costs are relatively low so that model works well, and we've already had reports of people using Dependabot on their own projects, enjoying it, and then encouraging their employer to do the same.
Since we're in the GitHub Marketplace we collect our fees through GitHub, who add them to our customers' GitHub bills. GitHub take a meaty 25% share for the service, but it means paying for Dependabot is completely frictionless: organizations with private repos are always already paying GitHub so paying us too takes a single click.
Dependabot costs very little to run — our total costs for November were $50. Almost all of that is hosting fees to Heroku — we use their Hobby infrastructure for our frontend and backend apps and run our update jobs in one-off dynos. The only other thing we pay for is Gmail.
I want to get a lot more people using Dependabot! Distribution is the big thing we haven't cracked yet, but solving it would make developing the service more rewarding.
One way I'd love to tackle that is to build out tools for library developers. Dependabot bumps Rails and React on hundreds of repos, and has access to the test results on each one. Perhaps we could make that data (at least for the public repos) easily available to the teams behind Rails and React. Doing so would help them test release candidates and spot regressions, and maybe in turn they'd encourage their users to try Dependabot.
Beyond that, we're looking to add more languages. We're about halfway through the work to add support for Elixir and Java, and I'd love to add support for Go, too. Each language opens up a new market for us, and they're relatively easy to add because lots of Dependabot's functionality is language agnostic.
On a personal note, hopefully if we can do that then Dependabot can pay Harry and me enough that we can live on it.
It's probably terrible advice, but for me, just building something helped me keep going as an entrepreneur. For the last four months I've been volunteering in healthcare with half my time and building Dependabot with the rest. If I hadn't had Dependabot to work on I almost certainly wouldn't have been able to handle the lack of progress in healthcare.
Learning how to distribute has been a challenge, but the psychological side of running a business has been far rougher.
Dependabot wasn't the thing I originally set out to build, and at first that shielded me from some of its emotional ups and downs — I kept telling myself it didn't matter if it did or didn't work out.
Now, however, I tend to ignore its successes and feel its failures even more acutely. When Dependabot is up I'm telling myself, "Yeah, but it's just this little thing, not the big business I wanted to build, and it doesn't go anywhere." When it's down, I'm thinking, "Oh man, I failed to break into healthcare and now I can't even make this work?!"
The biggest thing I've learnt is just to work through the tough times. If I'd quit during the three months of misery between building Dependabot and getting it into the marketplace then I'd never have seen the success on the other side. Some obsessive part of me wouldn't let me walk away, and I kept believing the thing should work, so I stuck at it.
I've found working in an office really useful for keeping me balanced. I volunteer full time helping a healthcare organization with their software decisions, so I sit in their office 9-5 mainly working on Dependabot. Having colleagues around to get lunch with is a nice reminder there's a world out there!
Also, at the risk of sounding sycophantic, I've really enjoyed reading Indie Hackers. Stories of other entrepreneurs that I could relate to have been a big boost during the day-to-day of trying to build a business.
If you're just starting out, I'd highly recommend doing your thing as a side project, rather than a full-time gig. In the early stages of Dependabot I was spending most of my time on it, and when things didn't go to plan that was really tough. Imagine working full time for two months, launching, and getting no coverage and only one signup. It's easier to take that, psychologically, when you have a job where people remind you that you're valued.
Also, as I said, do sales, not marketing. Even if you're B2C and giving your product away for free, start with one-on-one sales. Even if you hate it, start with sales. It's how you learn to understand your customers and to build the right product.
If anyone has any questions for me please don't hesitate to ask in the comments. I'll try to answer anything and everything. Thanks for having me on Indie Hackers, Courtland!
you should run your frontend on http://surge.sh/.. the thing about the free dev is if no one hits it for awhile it takes awhile to spin back up and could be annoying for your users. Surge is free and great for static page hosting.. I use it for hosting all my React front ends that don't need anything fancy.
It's basically like github pages.
I think you're thinking of Heroku "free" - the "hobby" boxes never sleep (according to https://www.heroku.com/pricing).
Thanks for the suggestion, though!
yes, you're right! We're in the same boat as you trying to keep our costs as low as possible.
We moved all our servers to a mixture of Linode + S3/RDS
Inspiring and impressive that you are solving a real problem and got it to $750 MRR so quick! Also very nice frontend website with great explanation how Dependabot works. Thanks for sharing!
Thanks! Design of the website was by our wonderfully talented friend Sam Willis as a (huge) favour. All design mistakes in the app itself are our own.
How much effort (time/money?) did you spend % wise on design so far for the website & app?
We haven't spent any money on design because we were lucky enough to have a friend who could help out with it for free / a few meals and beers. That's not to say that we don't hugely value Sam's designs, though - they've made a huge difference to us. As much as they've helped with Dependabot's credibility, they've also helped with our own feelings about the product - having a website that we're really proud of makes me way more excited about working on the product.
I'm always looking for designers who want to help out. I want to emphasize that this is really hard to find! Great design talent won't usually do it for free, even for friends. That's so fantastic. If you guys hit it big, make sure to reward him later.
thanks :)
This comment was deleted 7 years ago
As someone who is working on side projects currently this is a super inspiring story. Was wondering how many hours a week you were spending in the early stages of Dependabot development
Thanks Gabe!
The short answer is probably much too much! Maybe Dependabot is an outlier here, but a lot of hours have gone into its development (for a side-project).
In the beginning we were fitting Dependabot around coffee-chats with doctors, and since we didn't know many doctors. We probably put ~200 hours (total) into the prototype we first shared with companies, and we did it over 3/4 weeks working relatively intensively. Then in the following couple of weeks we probably put another 80 hours into addressing the feedback we were getting.
After we got a first version of Dependabot out the door and started getting knocked back by GitHub / Hacker News we dropped the hours down to about 15 a week (a couple of hours each day on distribution and bug-fixing). The project didn't make much progress during this period, as you can see from the users graph, but that was mainly because we hadn't figured out distribution. Harry took a part-time role to fund himself and I started volunteering full-time for a healthcare company.
More recently, as Dependabot has got more traction, I've been spending more time on it. I probably put in a solid 40 hours a week on it at the moment - an hour in the morning fixing bugs, then maybe 5 during the day / evening on more substantial stuff. (If you're wondering what extra features could possibly be necessary to an app that just creates dependency update PRs then take a look at the feature requests we've receive!) It's a lot of time, but I think it's sensible right now as it wins Dependabot customers who really love it.
If the above sounds like a lot of hours, then don't forget that the very first version of Dependabot was built at a Hackathon, so only had ~10 hours of development in it. All of the polish to get it to a saleable product has been a lot of work, but we were at least able to prove the idea quickly.
Good luck with your side projects! :-)
Great stuff, I hope this continues to grow. I love your focus on sales!
Having sold to the medical industry before, I know how difficult and slow-moving it is.
Thanks Michael!