cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon dependabot

[Question] Is it possible to use this without Docker?

Open rgret-dev opened this issue 1 year ago • 2 comments

Would it be possible to run dependabot CLI / dependabot-core without Docker?

Maybe there is good reasoning behind the usage of Docker but I find it very "heavy" and complex just to get this working locally. Especially since the CLI itself requires docker to be running which seems... odd.

rgret-dev avatar May 05 '24 19:05 rgret-dev

Docker is not free for commercial use for large companies. So to run dependabot locally, in addition to our GitHub licenses, we'd also need to buy Docker licenses, regardless of whether we're using Docker.

joshnoe avatar Feb 20 '25 00:02 joshnoe

We also would like to be able to run this without Docker. We host most of our build agents as containers within kubernetes which for security reasons cannot create containers of their own.

jackmtpt avatar Mar 17 '25 14:03 jackmtpt

Dependabot uses containers and Docker networks because some ecosystems execute arbitrary code during their update. It is not wise to use without some kind of containerization.

Dependabot CLI is built specifically to start those containers and network, and coordinate them getting their inputs and capturing their outputs. So it's not possible currently to run without Docker.

We are open to the idea of using another containerization service, but it's not a trivial switch. Feel free to 👍 this issue: https://github.com/dependabot/cli/issues/86

jakecoffman avatar May 06 '25 20:05 jakecoffman