Guides

Getting Started with Ovvoc in 5 Minutes

Ovvoc team··5 min read

Getting started with Ovvoc takes about 5 minutes. By the end of this guide, you'll have Ovvoc monitoring your repository and your first update PR on the way.

Step 1: Install the GitHub App

After signing in to Ovvoc, you'll be prompted to install the Ovvoc GitHub App. Click "Install" and you'll be redirected to GitHub's app installation page.

You can choose to install Ovvoc on all repositories or select specific ones. We recommend starting with a single repository to see how it works before expanding.

Ovvoc requests only the minimum permissions needed:

  • Contents: write — to clone your repository and push update branches
  • Pull requests: write — to create PRs with update results

Step 2: Select repositories

Once the GitHub App is installed, head to your Ovvoc dashboard. You'll see your connected repositories listed. Enable monitoring for the repos you want Ovvoc to watch for dependency updates.

For each repository, Ovvoc will:

  1. Scan package.json for all dependencies
  2. Check each dependency against the npm registry for newer versions
  3. Identify security advisories from the npm audit database
  4. Queue update jobs based on priority (security patches first)

Step 3: Your first scan

The initial scan happens automatically when you enable a repository. Within minutes, Ovvoc will analyze your dependency tree and start queuing update jobs. You can track progress in real time from the dashboard.

Security patches and critical updates are prioritized. Version bumps that require no code changes are processed first (they're fastest), followed by updates that need AST transforms or AI-assisted migration.

Step 4: Review your first PR

When an update completes successfully — meaning the code was transformed, the project built, and all tests passed — Ovvoc opens a pull request on your repository.

Each PR includes:

  • Confidence score — how certain Ovvoc is that the update is correct
  • Change summary — what was updated and what code transforms were applied
  • Test results — full output from your test suite
  • Category label — which of the 25 update categories this falls into

Review the diff, check the test results, and merge with confidence.

Understanding failure reports

Not every update will succeed. When tests fail after an update, Ovvoc does not open a PR. Instead, you get a failure report in your dashboard that includes:

  • Which dependency was being updated and to which version
  • What transforms were applied
  • Which tests failed and their output
  • Suggested next steps

Failure reports help you understand exactly what went wrong without any risk to your codebase. Your main branch is never affected.

Prerequisites

Before you begin, make sure you have the following in place:

  • GitHub account — Ovvoc integrates via a GitHub App, so you need an account with admin access to the repositories you want to monitor
  • npm/Node.js project with package.json — Ovvoc currently supports the npm ecosystem. Your project needs a valid package.json in the repository root
  • Test suite (recommended) — Ovvoc runs npm test to verify updates. Without a test suite, Ovvoc can still build-verify updates but can't confirm behavioral correctness
  • Build script (recommended) — if your project has a build script in package.json, Ovvoc runs npm run build to verify compilation after transforms

Supported Node versions: 18 and above. Ovvoc containers use the latest LTS Node release by default, but you can configure a specific version in your repo settings.

Package managers: npm (default), yarn v1, yarn v2+ (Berry), pnpm, and bun are all supported. Ovvoc auto-detects your package manager from the lockfile present in your repository.

Step-by-step setup walkthrough

Here's the complete flow from sign-up to your first automated update:

  1. Sign up at ovvoc.com with GitHub OAuth — click "Get Started" and authorize with your GitHub account. We request only the minimum permissions needed for repository access
  2. Install the GitHub App on selected repos — after sign-up, you're prompted to install the Ovvoc GitHub App. Choose specific repositories rather than granting access to all repos — you can always add more later
  3. Dashboard auto-populates — once the app is installed, your dashboard immediately shows the connected repositories along with their dependency counts and current versions
  4. First scan happens within 60 seconds — Ovvoc automatically scans each connected repo, reads package.json, checks all dependencies against the npm registry, and identifies available updates
  5. Updates queue automatically based on priority — security patches queue first, followed by version-only bumps, then updates requiring code transforms. You can adjust priority settings per repository

Dashboard tour

The Ovvoc dashboard is organized into six main pages, each focused on a different aspect of your dependency management:

  • Overview — high-level stats including total repos, total dependencies, pending updates, and recent activity. This is your at-a-glance status page
  • Repos — lists all monitored repositories with dependency counts, last scan time, and health status. Click any repo to see its full dependency breakdown
  • Updates — shows all detected version changes across your repositories. Filter by severity, category, or status. Each update shows the current version, available version, and update category
  • Jobs — tracks every pipeline execution. Each job shows its status (queued, running, passed, failed), duration, and the specific transforms applied. Click a job for the full execution log
  • Pull Requests — shows all PRs created by Ovvoc across your repositories, with confidence scores, merge status, and links to the GitHub PR
  • Billing — shows your current plan, subscription status, and activity summary. Manage your subscription through Paddle

Your first update lifecycle

Here's exactly what happens when Ovvoc processes an update, from detection to PR:

The npm registry publishes a new version of one of your dependencies. Ovvoc's registry monitor detects the new version within minutes via the npm changes feed. A job is queued with the appropriate priority based on update type (security patch, minor bump, major version, etc.).

When the job reaches the front of the queue, an ephemeral container spins up. Your repository is cloned inside the container. The dependency is updated inpackage.json, and if the update requires code changes (categories 7+), the AST transform engine or AI coordinator applies the necessary modifications.

After transforms are applied, npm install regenerates the lockfile,npm run build verifies compilation, and npm test validates behavior. If all steps pass, Ovvoc opens a PR on your repository with a detailed description, confidence score, and category label. If any step fails, a failure report is generated instead — no broken PR, no risk to your main branch.

Timeline: the entire process typically takes 1–3 minutes end to end, depending on your project's install, build, and test times.

Troubleshooting

If something isn't working as expected, here are the most common issues and their solutions:

  1. "No repos showing" — verify the GitHub App is installed on the repositories you expect. Go to your GitHub settings → Applications → Ovvoc to check installation scope
  2. "Scan found 0 dependencies" — make sure package.json exists in the repository root. For monorepos, Ovvoc automatically detects workspaces (npm, pnpm, Turborepo) and scans all packages
  3. "Build failed" — verify that npm run build works locally on a clean install. Missing environment variables or native dependencies may cause build failures in the container
  4. "Tests skipped" — add an npm test script to your package.json. Without a test script, Ovvoc can only verify that the project builds, not that it behaves correctly
  5. "PR not created" — PRs are only created when both build and tests pass. Check the job's failure report in your dashboard to see what went wrong
  6. "AI budget exceeded" — complex transforms (categories 14–25) use AI tokens, which have a configurable per-job budget. Increase the limit in your repository settings if transforms are being skipped due to budget constraints

Recommended configuration

The right configuration depends on your project's size and risk tolerance:

For small projects (1–3 repos, <50 deps each): enable immediate updates for all categories. Small projects benefit from staying current with every release. The volume of updates is manageable, and each update is isolated enough to review quickly.

For large projects (5+ repos, 100+ deps each): use daily batch processing to group related updates and reduce PR noise. Consider skipping major version updates initially and handling them on a sprint-by-sprint basis once you're comfortable with Ovvoc's transform quality.

For monorepos: configure per-workspace settings so that updates to shared dependencies are coordinated across workspaces. This prevents version conflicts between packages in the same repository.

That's it. Five minutes to set up, and Ovvoc handles the rest. Questions? Reach out to our team.

Stay up to date

Automate your dependency updates. Start with one repo.

Get StartedView all posts