Hello! What's your background, and what are you working on?
I took a slightly circuitous route to becoming a software engineer: I was a strategy consultant for a couple of years before teaching myself to code. After that a stint at a startup (GoCardless) gave me some product experience, and I started Dependabot after setting out to do my own thing.
Two months after launch, Dependabot makes $740/month and sees around 5,000 pull requests merged.
What motivated you to get started with Dependabot?
Dependabot was never really meant to be a business — it started out as a side project to keep me sane whilst I tried to do a "proper" startup in healthcare.
Back when I was working at GoCardless one of my jobs was keeping our Ruby dependencies up-to-date. Each morning I'd log into our "Gemnasium dashboard", check what needed updating, and create a bunch of PRs. This soon became tedious and I wondered if I could automate it, so along with a few friends I built Bump at a work hackathon.
Bump had a lot wrong with it but hung together well enough to be useful for the next 18 months. That gave me confidence that it would stand on its own two feet, but I was too engrossed in GoCardless work to try to spin it out.
I left GoCardless to do my own thing a year ago and was full of ambition. I cycled around the world and got back wanting to change it by starting something in healthcare. Two months of endless coffee chats and discouragement later, however, and I was ground down.
Building Dependabot became my part-time antidote as it was the exact opposite: a product where I already knew exactly what to build in an industry I understood back-to-front.
What went into building the initial product?
Living off our savings, Harry and I gave ourselves two weeks to build the first version of Dependabot. We got GoCardless to give us the IP from Bump (we were, and still are, on really good terms with them), applied a lot of polish, and built a frontend and API for it from scratch.
We missed our deadline, but after four weeks we had something we were happy asking friends to try. We're both developers, so sourcing a few early adopters wasn't too tricky.
From a tech perspective, Dependabot is split into a front end, an API back end, and a dependency updater. The back end is Ruby on Rails, the updater is pure Ruby, and the front end is a React app. We also have some Python and PHP code for bumping Python and PHP dependencies.
Everything is hosted on Heroku, and the most interesting bits are open source.
As soon as our friends tried Dependabot they loved the idea, but started telling us about a lot of things that were wrong with it. When added to an old codebase Dependabot would "helpfully" immediately create 30+ pull requests for you, for example. Merge one and the rest would have conflicts, which Dependabot did nothing to help you with. Want to ignore an update? If you closed the PR we'd just create another one for you the following morning 🤦♂️.
We learned a lot from our early users. There was probably about a month of polishing, with me and Harry both full time on it, to get the service to a point where we thought it was worth paying for.
There's definitely a lesson in the amount of work that was required to get Dependabot ready for others to use. Under the hood it's a really complicated product — dependency resolution is hard — but it needs to be simple and easy to use since it's not a space anyone wants to spend time and effort on. It's also one of those horrible products that is brilliant when it works perfectly and worse than useless when it falls even a little bit short!
How have you attracted users and grown Dependabot?
We started building Dependabot just as GitHub were previewing GitHub Marketplace, so we naturally tried to be a launch partner and piggyback off their marketing. We agonised over emails to them and fretted over the lack of replies, but it didn't stop them launching without us. Worse, they told us we'd need 250+ users to ever be listed. We had 22.
In hindsight, it was completely foolish of us to have pursued a partnership with them before we had anything to offer. GitHub had absolutely no reason to take a gamble on us just because we needed them, and they were completely right not to.
Undeterred, we attempted some marketing. We spent two days crafting the perfect blog post for Hacker News. The result? Two points on Hacker News and something similar on Reddit. One signup. Neither Harry nor I were well-known enough to get much attention in the developer community, and without a network marketing was pretty much pot luck for us (or worse, a game we were just no good at).
At this point we had what we thought was a brilliant product and were literally struggling to give it away for free. Finally, we tried some sales. Every day I'd run a search on GitHub for PRs with the word "update" in the title. If Dependabot could have created the PR then I'd comment on it asking if they wanted to give Dependabot a try.
I didn't find many relevant PRs each day, but my conversion rate on the ones I did find was amazing — 50% of the people I contacted signed up! With an hour of PR trawling each day I could get us 2-3 signups, and we slowly climbed towards the magic 250.
By the way, I'd like to say just how much more valuable the time I spent on sales was, as opposed to marketing. It's the best advice I can give anyone trying to get a SaaS product off the ground, even if your customers are tiny and you're giving your product away for free.
When you do sales, you get feedback. You get better each time, and so does your product. You get a small cohort of users who love you, and you get consistent, measurable progress. Compare that to the uncertain inputs and outputs from marketing or partnership hunting and it seems obvious what Dependabot should have been doing to get started all along.
Two months ago we finally got into the GitHub Marketplace, which has transformed Dependabot's distribution. Our signup rate is literally 10x what it was before.
What's your business model, and how have you grown your revenue?
We charge organizations a monthly fee to have Dependabot run on their private repos. The amounts are pretty small ($15 for five repos, $50 for unlimited), but our customers are really sticky.
We've kept personal and open-source accounts free, and we'll always continue doing this since those users are great advertisements for us and unlikely to use the service if asked to pay. Our costs are relatively low so that model works well, and we've already had reports of people using Dependabot on their own projects, enjoying it, and then encouraging their employer to do the same.
Since we're in the GitHub Marketplace we collect our fees through GitHub, who add them to our customers' GitHub bills. GitHub take a meaty 25% share for the service, but it means paying for Dependabot is completely frictionless: organizations with private repos are always already paying GitHub so paying us too takes a single click.
Dependabot costs very little to run — our total costs for November were $50. Almost all of that is hosting fees to Heroku — we use their Hobby infrastructure for our frontend and backend apps and run our update jobs in one-off dynos. The only other thing we pay for is Gmail.
What are your goals for the future?
I want to get a lot more people using Dependabot! Distribution is the big thing we haven't cracked yet, but solving it would make developing the service more rewarding.
One way I'd love to tackle that is to build out tools for library developers. Dependabot bumps Rails and React on hundreds of repos, and has access to the test results on each one. Perhaps we could make that data (at least for the public repos) easily available to the teams behind Rails and React. Doing so would help them test release candidates and spot regressions, and maybe in turn they'd encourage their users to try Dependabot.
Beyond that, we're looking to add more languages. We're about halfway through the work to add support for Elixir and Java, and I'd love to add support for Go, too. Each language opens up a new market for us, and they're relatively easy to add because lots of Dependabot's functionality is language agnostic.
On a personal note, hopefully if we can do that then Dependabot can pay Harry and me enough that we can live on it.
It's probably terrible advice, but for me, just building something helped me keep going as an entrepreneur. For the last four months I've been volunteering in healthcare with half my time and building Dependabot with the rest. If I hadn't had Dependabot to work on I almost certainly wouldn't have been able to handle the lack of progress in healthcare.
What are the biggest challenges you've faced and obstacles you've overcome?
Learning how to distribute has been a challenge, but the psychological side of running a business has been far rougher.
Dependabot wasn't the thing I originally set out to build, and at first that shielded me from some of its emotional ups and downs — I kept telling myself it didn't matter if it did or didn't work out.
Now, however, I tend to ignore its successes and feel its failures even more acutely. When Dependabot is up I'm telling myself, "Yeah, but it's just this little thing, not the big business I wanted to build, and it doesn't go anywhere." When it's down, I'm thinking, "Oh man, I failed to break into healthcare and now I can't even make this work?!"
The biggest thing I've learnt is just to work through the tough times. If I'd quit during the three months of misery between building Dependabot and getting it into the marketplace then I'd never have seen the success on the other side. Some obsessive part of me wouldn't let me walk away, and I kept believing the thing should work, so I stuck at it.
Have you found anything particularly helpful or advantageous?
I've found working in an office really useful for keeping me balanced. I volunteer full time helping a healthcare organization with their software decisions, so I sit in their office 9-5 mainly working on Dependabot. Having colleagues around to get lunch with is a nice reminder there's a world out there!
Also, at the risk of sounding sycophantic, I've really enjoyed reading Indie Hackers. Stories of other entrepreneurs that I could relate to have been a big boost during the day-to-day of trying to build a business.
What's your advice for indie hackers who are just starting out?
If you're just starting out, I'd highly recommend doing your thing as a side project, rather than a full-time gig. In the early stages of Dependabot I was spending most of my time on it, and when things didn't go to plan that was really tough. Imagine working full time for two months, launching, and getting no coverage and only one signup. It's easier to take that, psychologically, when you have a job where people remind you that you're valued.
Also, as I said, do sales, not marketing. Even if you're B2C and giving your product away for free, start with one-on-one sales. Even if you hate it, start with sales. It's how you learn to understand your customers and to build the right product.
Where can we go to learn more?
If anyone has any questions for me please don't hesitate to ask in the comments. I'll try to answer anything and everything. Thanks for having me on Indie Hackers, Courtland!
—, Creator of Dependabot
Want to build your own business like Dependabot?
You should join the Indie Hackers community! 🤗
We're a few thousand founders helping each other build profitable businesses and side projects. Come share what you're working on and get feedback from your peers.
Not ready to get started on your product yet? No problem. The community is a great place to meet people, learn, and get your feet wet. Feel free to just browse!
—, Indie Hackers founder