Why didn't GitHub come up with this? This seems like such an obvious use case.
GitHub PM here. We have tried this, but we weren't able to get results that we were satisfied with. Of course, you have to revisit these things regularly, as the models and wider state of the art are evolving so quickly!
It requires you to go deep in both the code analysis and the research, which is expensive at their scale
And, as someone who's start up (EdgeBit was acquired by FOSSA recently) wrote a new JS/TS static analysis engine, it's just hard to get correct.
GitHub hasn't done anything interesting with dependabot or code scanning for awhile.
They're spending all of their engineering resources on not doing anything interesting with Copilot instead.
And not solving lots of small issues listed on... GitHub. The community project is such an issues graveyard.
It's a niche for AI, which creates some great opportunities for context engineering :)
Because this won't work. Dependency updates are actually incredibly hard.
GitHub PM here. We have tried this, but we weren't able to get results that we were satisfied with. Of course, you have to revisit these things regularly, as the models and wider state of the art are evolving so quickly!
It requires you to go deep in both the code analysis and the research, which is expensive at their scale
And, as someone who's start up (EdgeBit was acquired by FOSSA recently) wrote a new JS/TS static analysis engine, it's just hard to get correct.
GitHub hasn't done anything interesting with dependabot or code scanning for awhile.
They're spending all of their engineering resources on not doing anything interesting with Copilot instead.
And not solving lots of small issues listed on... GitHub. The community project is such an issues graveyard.
It's a niche for AI, which creates some great opportunities for context engineering :)
Because this won't work. Dependency updates are actually incredibly hard.