Mid Sweden University

In the rapidly evolving software industry, bots have become integral to automating tasks and enhancing developer productivity and are revolutionizing the way security patches are implemented in software projects. Our study investigates the impact of DEPENDABOT on the speed and efficacy of security patching in GitHub Open Source Software projects, by studying merge times and factors that contribute to DEPENDABOT’s resolution of security issues in JavaScript projects. We use a dataset containing DEPENDABOT Security Pull Requests. Our study validates previous findings by collecting data from the GitHub API and publishing a dataset collected between 2021 and 2024. We face challenges with collecting features impacting merge times, but overcome them by prioritizing the top 3 features and 2 additional ones. We also investigate the factors behind not merging Pull Requests to identify the obstacles in adopting DEPENDABOT’s recommendations, by analysing Pull Request comments. We start performing sentiment analysis and topic modeling but switch to GitHub Copilot instead and continue investigating presence of factors impacting rapid merge times. Our results present a lower adoption rate of DEPENDABOT Security Pull Requests in JavaScript Open Source Software projects, specifically 13%, compared to those of the original study. 76% of Pull Requests are merged within 4 days, with a median decision time of 0,3 days. The main reason for not merging a DEPENDABOT Security Pull Requests is that another DEPENDABOT Security Pull Request supersedes it. Factors associated with faster merge are related to smaller changes and, controversially, disabling auto merge.