Fossabot: AI code review for Dependabot/Renovate on breaking changes and impacts

Today we're announcing fossabot, a new AI Agent for making strategic dependency updates, backed by a comprehensive accuracy, consistency, and correctness framework. fossabot is able to deliver completed work just like an engineer, including researching new versions, finding app impact and adapating code if needed. This product fulfills our philosophy for automating dependency updates and EdgeBit acquisition. fossabot is currently available as a public preview, with a focus on the JavaScript and TypeScript ecosystems. Your dependencies are simultaneously moving too fast and too slow For a decade, FOSSA has protected businesses from open source risk in two large categories: compliance and security. We’ve identified a new, third category of risk that is emerging: dependency churn and update stagnation. AI coding agents churning out new repos and dependencies trees faster than we can follow. At the same time, crown jewel apps can’t keep up with the fast pace of upstream development and fall more behind. Neither are good, but fossabot is here to help...as if your best engineer managed updates 24/7. The root of the problem is that every enterprise dependency update program is broken. Why? Our tools can’t make strategic updates like our engineers are capable of. Instead, enterprises focus is making the smallest update possible to fix an alert, only to do it again next month. No time is devoted to figuring out how to upgrade to the latest version of a package and the benefits it may bring to the app. fossabot, our dependency updating AI agent, is capable of large complexity upgrades – the ones that require a senior engineer because they’re always an unexpected multi-hour research and coding task. Dependabot bot compatibility unknown Bump lodash from 4.17.20 to 4.17.21 fossabot Complete ~2m Loading Code ... 30s Change Detection ... 45s Impact Detection ... 15s Adapt to Impacts ... 20s Summary by fossabot I recommend merging this lodash update from 4.17.20 to 4.17.21. This is a patch release that fixes several security vulnerabilities and includes performance improvements. Your application's usage patterns are compatible with this update. • Analyzed 47 files using lodash utilities across components/ , utils/ , and services/ • Verified no deprecated methods or breaking changes affect your codebase Change Details ✓ Security Fixes (3) 1. Fixed prototype pollution vulnerability in merge function 2. Improved input validation for template method 3. Enhanced sanitization in defaultsDeep fossabot started out as an internal tool and became invaluable to our engineers and trusted testers, so we’re releasing it as a public preview for all to use. fossabot is available as a GitHub app and all users get $15 in free usage credit each month. Why does fossabot work so well? fossabot proposes strategic updates because it can balance risk vs. reward, understand breaking changes in the context of your app, and even adapt code to handle newer paradigms. Existing updaters like Dependabot or Renovate can’t do this reasoning, so they end up being configured to be “dumb,” like patch releases only. Plus, mechanically making the update is not the hard and slow part. It’s the research and understanding of risk to your app that takes forever and ultimately relegates most updates into the backlog forever. Codebase Reasoning fossabot analysis determines the impact of an update to your specific codebase and usage of dependencies instead of making guesses about compatibility, which allows for smart reasoning. Examples of this reasoning include: Use a rewritten React library and update your component to use the more modern syntax Upgrade a major version of a library safely because you use APIs in forward-compatible ways Adapt your code to an undeclared behavior change in a patch update Here’s a partial excerpt of this reasoning in action: fossabot's reasoning and checklist fossabot uses a perfect balance of hard facts from static analysis paired with a scalable and detail-oriented AI. Scale Through AI fossabot outperforms human engineers because it can scale beyond what a reasonable person would do. It researches harder, deeper, and longer, with perfect memory about your first-party code, the dependency code and the library’s release notes, migration guides, and docs. While a human would become fatigued after an hour (or even minutes), fossabot will keep going until every modified function is triaged and every impact is understood throughout your entire codebase. fossabot's references and citations No engineer can hold a full picture of dependency usage, especially when multiple teams are involved. fossabot is able to take in more analysis and relationships that can be mapped out in your brain. Delivers Completed Tasks Customers tell us that understanding the level of effort for a change can be just as hard as the update itself. When fossabot is in charge of your updates, you can skip all of this toil and receive completed tasks, delivered right to a pull request. fossabot understands its limitations and can request assistance to “last-mile” an update across the finish line. Backed by our evaluation framework and ability to classify different types of updates, we’re confident in fossabot’s ability to handle large complexity updates in the JavaScript/TypeScript ecosystem. From Internal Tool to Public Preview Earlier this year, FOSSA engineers hypothesized that with the right context, we could eliminate the toil from dependency updates. We started providing a custom AI framework with details from FOSSA’s dependency metadata scanning, upgrade path guidance, and open source health signals. This grew into a robust breaking change detection engine that continues to surprise us with its detail and accuracy. With breaking changes found, the next challenge was impact detection for each customer’s codebase. Static analysis is the ideal tool for this, which led to a partnership and eventual acquisition of EdgeBit, which pioneered a new type analysis that is designed for dependency update use-cases. Static analysis prevents the AI agent from making silly mistakes, and in our experience, perfectly balances the desired fuzziness you gain from using AI agents and sub agents. fossabot resembles a “focused agent” that resembles a pipeline for determinism but includes agentic steps as well. Blend of deterministic workflow with agentic elements inside of them Accuracy, Consistency, Correctness While iterating on fossabot, we quickly realized that the evaluation framework and ground truth dataset was just as important as the tool itself, and in many ways, just as challenging as writing the code. fossabot continually scores itself on Accuracy, Consistency, Correctness (ACC) against a set of validated dependency updates with varying degrees of breaking changes, changed lines of code and usage of those libraries in real-world apps. Accuracy, Consistency, Correctness by Group & Complexity Group Complexity routine_minor_updates low medium high multi_dependency_updates low medium high major_version_upgrades low medium high dev_dependencies low medium high This process quickly highlighted a key learning: the importance of weighted scoring in our evaluation. A false positive (where the tool incorrectly deems a breaking change safe) carries a much higher cost in terms of potential disruption and lost trust than a false negative (where a safe update is flagged for extra scrutiny). This phase also helped us debunk early, overly simplistic assumptions, such as the fallacy that all major version upgrades are inherently breaking. Our public preview is targeted at the JavaScript/TypeScript ecosystem because our ACC dataset is robustly populated — other ecosystems will follow shortly as we build out more ground truth. We believe that several design decisions set at the genesis of fossabot make it a trusted foundation: Striving for determinism at key steps Smartly using static analysis Use AI to be doggedly persistent and detail oriented Measuring ourselves against the ACC ground truth We hope fossabot earns your trust, and we’d love your feedback on analysis that looks great or needs refinement. Try Out fossabot fossabot’s public preview is available as a GitHub app. Every user gets $15 of analysis credit, replenished every month. Let loose the updates! Today, fossabot will auto-analyze Pull Requests opened from Dependabot, Renovate or Snyk. Soon, fossabot will open its own PRs with pre-planning and pre-analysis taken into account. Reach out to get a demo of fossabot and let's figure out how to get your teams caught up on updates.