Dependency management bots automatically open pull requests to update software dependencies on behalf of developers. Early research shows that developers are suspicious of updates performed by dependency management bots and feel tired of overwhelming notifications from these bots. Despite this, dependency management bots are becoming increasingly popular. Such contrast motivates us to investigate Dependabot, currently the most visible bot on GitHub, to reveal the effectiveness and limitations of state-of-art dependency management bots. We use exploratory data analysis and a developer survey to evaluate the effectiveness of Dependabot in keeping dependencies up-to-date, interacting with developers, reducing update suspicion, and reducing notification fatigue. We obtain mixed findings. On the positive side, projects do reduce technical lag after Dependabot adoption and developers are highly receptive to its pull requests. On the negative side, its compatibility scores are too scarce to be effective in reducing update suspicion; developers tend to configure Dependabot toward reducing the number of notifications; and 11.3% of projects have deprecated Dependabot in favor of other alternatives. The survey confirms our findings and provides insights into the key missing features of Dependabot. Based on our findings, we derive and summarize the key characteristics of an ideal dependency management bot which can be grouped into four dimensions: configurability, autonomy, transparency, and self-adaptability.

翻译：依赖管理机器人会自动创建拉取请求，代表开发人员更新软件依赖。早期研究表明，开发人员对依赖管理机器人执行的更新持怀疑态度，且对其海量通知感到厌倦。尽管如此，依赖管理机器人正变得越来越流行。这种反差促使我们研究目前GitHub上最受关注的Dependabot机器人，以揭示当前依赖管理机器人的有效性与局限性。我们采用探索性数据分析和开发者调查来评估Dependabot在以下方面的有效性：保持依赖最新状态、与开发人员交互、缓解更新疑虑以及减少通知疲劳。我们得到了混合性结论。积极方面：采用Dependabot后，项目确实减少了技术滞后，且开发人员对其拉取请求接受度较高。消极方面：其兼容性评分过于稀少，难以有效缓解更新疑虑；开发人员倾向于配置Dependabot以减少通知数量；11.3%的项目已弃用Dependabot而改用其他替代方案。调查结果证实了我们的发现，并揭示了Dependabot的关键功能缺失。基于研究结果，我们归纳并总结了理想依赖管理机器人的核心特征，这些特征可归为四个维度：可配置性、自主性、透明性和自适应能力。