Contributing to open source software: Creating a pull request

In this screencast, we’re going to take a look at Contributing to Open Source Software, specifically how to create a pull request.


public static void main 🎶

On June 23, 2023 Hanno Embregts and I performed a lightning talk / pop music quiz called “public static void main 🎶 “. This was based on a Tweet that said “I realized that you can sing “public static void main” like “Everybody dance now” and I can’t stop doing it”. Hanno found 15(!!) songs that would also work, and we created a pop music quiz.

On June 23, 2023 Hanno Embregts and I performed a lightning talk / pop music quiz called “public static void main 🎶 “.

Hanno and I met at Joy of Coding 2022, where he gave his talk “What “Stairway to Heaven” Can Teach Us About Software Development“. In this talk, he plays parts of the song on stage with his travel guitar, and then explains how the lyrics are about software development.

How it started

A few weeks later, I saw a tweet that said “I realized that you can sing “public static void main” like “Everybody dance now” and I can’t stop doing it”. (And, I’ve been doing just that ever since.) Someone responded to my retweet by pointing out that this also works for Vamos a la playa.

I love it when a plan comes together

So I pitched the idea to Hanno of doing a “pop music quiz” with different songs where we would replace the lyrics with “public static void main” and we could have the audience guess what the original song was. A few months later, Hanno contacted me to say he had found at least 15(!!) songs where this would work. Apparently, he had gone through the Top 2000 looking for songs he thought might work. So we got together to discuss this idea, write an abstract and figure out where to submit it too. We submitted to several conferences that offered lightning talks slots and … got accepted to Joy of Coding 2023! Coincidentally, this is also where I got started speaking, so I was very excited to return.

Time constraints

Unfortunately, we had to cut some songs due to the 5-minute limit, so we selected the 6 we thought would work best. We selected a quiz tool, created the questions, and some videos to go with them using IntelliJ IDEA‘s live templates.
The Joy of Coding organizers were extremely helpful in allowing us to take the last slot in the lightning talk line-up, letting us use our own laptop to run the quiz, and talking to the venue to get Hanno an audio monitor at the last minute.

Joy of Coding 2023

On the day of the conference, we had a lot of fun playing and singing along.

And to our surprise, we ended up with a tie for first place! Fortunately, we had some back-up songs we could use to settle this tie in a kind of “sudden death” match between the two top contestants.

We also got some positive feedback from the crowd, as well as an invitation to perform again elsewhere.


Many thanks to original tweeters for the idea (I’ll forgive you for also getting the song stuck in my head), Hanno Embregts for the awesome collaboration, Yosuf Haydary for pictures and videos of the event and Joy of Coding for having us!

How I got started with public speaking

As a public speaker, one of the questions that comes up occasionally is “How did you get into public speaking?”. In my case another speaker and conference organizer convinced me to submit a lightning talk to their conference, which got accepted. it was both scary and exciting, but fun enough to keep doing it!

As a public speaker, one of the questions that comes up occasionally is “How did you get into public speaking?”. Everybody has their own personal story; this is mine.

Attending conferences

In my 20+ years in IT, I’d never had a job where it was normal for me to go to conferences. This changed when I joined, an online retail platform, in 2017. At, going to  conferences was very common. As it turns out, I really loved going to conferences.

Some of the things I particularly enjoy are hearing about new technologies I might not yet be aware of, or new and different perspectives on technologies I already know. Also, I’m interested in hearing stories about challenges people face in other companies and industries, and how they solve their problems (either with or without specific tools). My favorite conferences are the ones where I come back with a bunch of ideas of new things to try. In addition, I very much enjoyed meeting people and discussing our thoughts on software development in the so-called “hallway track”; the conversations that happen in the hallway in between talks. While talks can often be watched online after a conference, meeting new people and having conversations with them only happens in person.

Meeting other speakers

To expose myself to more ideas, I created a Twitter account and started following speakers I liked and people I met at conferences. One of those people was Peter Hilton, whose talk I saw speak at CodeMotion Amsterdam 2017 and later met at Joy of Coding in 2017.

Peter was the one who convinced me to submit a lightning talk to Joy of Coding in 2018. He told me that as it was only 5 minutes, if I really didn’t like it, at least it would be over quickly. Of course, what he didn’t tell me is that it could be worse: I could end up liking it and wanting to do it again! Also, it wasn’t until I was accepted to do a 5-minute lightning talk that people told me that short lightning talks are actually harder than regular, longer talks. If you only have 5 minutes to get your point across, you have to be really clear about what that point is!

Picking a topic for my first talk

For my very first talk, I chose a topic I was very enthusiastic about and actively using at the time: Cucumber & BDD. I had started using Cucumber the year before and even started making open source contributions to the Cucumber documentation as well as cucumber-jvm (the Java implementation of Cucumber). My team at the time was using Cucumber to describe the intended behavior of our applications, and these automated tests helped safeguard this behavior by making sure we didn’t break it when making changes and adding new features. Being an active user and contributor, I had way more to say about this topic than I could fit into 5 minutes, so I had to bring it down to several core points I wanted to make. 

Practice makes perfect

Since it was imperative that I keep it under 5 minutes (I was told that the microphone would be cut after 5 minutes; no pressure!), I practiced my talk. A lot. The way I did this was by setting a 5-minute timer on my phone, and practicing my talk in the mirror. Every time I went over the 5 minutes, I would think about what went wrong. Often, it would be a tangent I went on that would take too long, so I would try to cut that and try again. Eventually I managed to whittle it down to 5 minutes and focus on the core idea(s) I wanted to get across.

Conference day!

On the day of the conference, I was extremely nervous but also excited. It was pretty exciting to see my name on a speaker badge!

Joy of Coding 2018 conference badge with my name and the text "I'm a speaker - ask me anaything!"
First speaker badge with my name on it!

There were several people doing lightning talks and the organizers had been kind enough to let me go on first, so I didn’t have to continue to get more nervous while waiting for my turn. Standing on stage for the first time was weird; it can be hard to know if the audience likes your talk if they just sit there quietly.

Fortunately I managed to get my story out within the 5-minute limit, and then I got to sit and watch the rest of the lightning talks. I’ll admit I didn’t really process a lot of them as I was feeling like a deflated balloon after my talk; or at least that’s how I describe the feeling of coming down off the adrenaline after a talk. To be honest, I still feel that way after talks these days, despite having way more of them now. It is not as bad as the first time, but I still get nervous before each talk and still need a bit of time to recover after. And yet, I still continue to do it!

Upsides of public speaking

This is how I got into public speaking. It started with a lightning talk on a topic I was enthusiastic about, and based on personal experience. It’s lead me to speak at many other conferences, share my knowledge and experience, meet many more amazing people and learn from them. And speaking is now part of my job as a Developer Advocate at JetBrains!

Analyzing dependencies in IntelliJ IDEA

If you’re working on a real world project, you’re probably using external dependencies. You might need to analyze which dependencies your application uses. For example, you may want to find out how a particular version of a dependency ended up in your application. Let’s take a look at how IntelliJ IDEA can help you to analyze dependencies.

Using the Dependency Analyzer

We can view our dependencies in the Maven or Gradle tool window. Here, we can expand dependencies to show their transitive dependencies, or collapse them again.

Open the Dependency Analyzer

We can open the Dependency Analyzer from the Maven or Gradle tool window by clicking the Analyze Dependencies… button. This will open the Dependency Analyzer showing the Resolved Dependencies on the left and their Usages on the right.

Alternatively, we can right-click a dependency in the Maven or Gradle tool window and select Analyze Dependencies from the context menu. This will open the Dependency Analyzer with the dependency selected.

We can hide all tool windows (⇧⌘F12 on macOS / Control+Shift+F12 on Windows/Linux), so we can focus on the dependencies.

Viewing dependencies in the Dependency Analyzer

We can view the dependencies as a tree by clicking the Show as Tree button and Expand or Collapse them as needed by pressing the corresponding buttons.

We can also click the View Options button and toggle Show GroupId, to show the GroupId for dependencies or not.

Finding a specific dependency

To see where we are getting a specific version of a particular library, we can search for that dependency. For example, when we search for “log4j” we see that we are only getting it via this spring-boot-starter, and it’s a version newer than the one where log4shell was fixed.

Finding conflicts

We might only want to look at dependencies that have conflicts. When we select the Show Conflicts Only button, we see only dependencies that have conflicts. In this example, we see that there is a conflict with the checker framework dependency. Fortunately, it’s been resolved; we see that one version is greyed out. If we go back to the Maven tool window, we see that this version has been omitted for conflict. We can see that the version we are using is 3.5.0 which we get from postgres.

Selecting scopes

We can also select a scope (for example, if we want to look at our test dependencies or exclude them from analysis). Since we’ve opened the Dependency Analyzer from the Maven tool window, we see the Maven scopes.

When we open the Dependency Analyzer from the Gradle tool window, the list of scopes will contain Gradle scopes.

More context

For more context, we can click a specific dependency and select Open Maven Config to open its pom.xml or Go to Maven Dependency to open the location in the pom.xml where this dependency is declared.

Using the Dependency Diagram

If you are using IntelliJ IDEA Ultimate, you can also view your dependencies as a diagram.

Show Diagrams

We can open diagrams either by right-clicking the project in the Project tool window and selecting Diagrams | Show Diagrams, or by using the shortcut ⌥ ⇧ ⌘ U (on macOS) or Ctrl+Alt+Shift+U (on Windows/Linux). You’ll notice this gives you several diagram options to choose from. In this case, we’re interested in the Gradle Dependencies, so we select that one. We can hide all tool windows (⇧⌘F12 on macOS / Control+Shift+F12 on Windows/Linux), so we can focus on the diagram.

Zoom in

If the project we’re looking at pulls in a lot of transitive dependencies, like this example, the diagram can be quite large. We can zoom in and out using the + and – keys, or the + and – buttons in the diagram window.

Finding a specific dependency

To look for a specific dependency and see where we get it from, we can search for this dependency using ⌘F (on macOS) or Ctrl+F (on Windows/Linux) to find it in the diagram. Using the button Show Paths: Root -> Selection, we can check the path for this dependency and click related dependencies to follow the path to the root.

Focus on related nodes

We have other options to look into specific dependencies. For example, we can zoom in on a specific dependency and the related nodes. Right-click the dependency you’re interested in, and from the context menu, select Analyze graph > Focus on Node Neighbourhood. This will give you several options. In this example, we’ll look at both directions. When we are done, we can reopen Analyze graph context menu and select Drop focus.

Select scopes

We can change the visibility level, by clicking the Change Visibility Level button for example if we want to focus on compile or runtime dependencies only.

Summary and Shortcuts

Now we know several ways to analyze our project’s dependencies in IntelliJ IDEA.

IntelliJ IDEA Shortcuts Used

Here are the IntelliJ IDEA shortcuts that we used.

NamemacOS ShortcutWindows / Linux Shortcut
Recent Files⌘ECtrl+E
Hide all windows / Restore windows⇧⌘F12Ctrl+Shift+F12
Open / Close Project Tool Window⌘1Alt+1
Show Diagram⌥⇧⌘UCtrl+Alt+Shift+U
Zoom in (in the diagram)++
Zoom out (in the diagram)
Find Elements in Diagram⌘FCtrl+F
Context Actions⌥⏎Alt+Enter

Related Links

IntelliJ IDEA: Analyzing Dependencies

If you’re working on a real world project, you’re probably using external dependencies. You might need to analyze which dependencies your application uses. For example, you may want to find out how a particular version of a dependency ended up in your application. Let’s take a look at how IntelliJ IDEA can help you to analyze dependencies.


Cherry-pick: Move a commit to a different branch

There are several reasons why you might want to move a commit to a different branch. Let’s take a look at some of them.

Committed to the wrong branch

You’re working on a new feature, but an urgent bug came in. You fixed the bug and committed the fix, but oops… you forgot to create a new branch for the bugfix! Now this bugfix is on the wrong branch. How do we fix this?

IntelliJ IDEA Git log window showing a bugfix commit on a new-feature branch
Bugfix commit is on the wrong branch

Use cherry-pick to move the commit

I could redo the work, especially if it’s a small change, but … I don’t want to! Luckily, there is a better way.

We only want to move this one commit from the feature branch to a separate bugfix branch. We can do this using Git’s “cherry pick” option from IntelliJ IDEA.

First, let’s go back to main and create the bugfix branch that we should have created in the first place.

IntelliJ IDEA Git log window showing that the main branch is checked out.
Back on the main branch

Once we’re back on the main branch, we can create a new branch named “bugfix”.

Create a new Bugfix branch

On the newly created branch, we can select the bugfix commit from the other branch and select Cherry-Pick to apply that commit to our current branch.

IntelliJ IDEA Git log with the bugfix commit selected and the context menu with option cherry-pick selected.
Cherry Pick the selected commit from the context menu

Cherry-pick from the command line

Yes, we can do this from the command line too, but there’s no cute cherry icon on the command line. To cherry-pick a commit from the command line, we can use the command git cherry-pick <commit hash>. We would need to find the commit hash of the commit we want to cherry-pick, which we can find for example in the Commit Details pane in the Git log window (see below).

IntelliJ IDEA with the terminal open and the command "git cherry-pick 51e33e5a".
Cherry-pick on the command line

As we can see, the bugfix commit is now on the bugfix branch.

IntelliJ IDEA Git log showing the Bugfix commit on the bugfix branch and a message "Cherry-pick successful".
Cherry-pick successful

Other use cases for cherry-picking

Cherry picking can be useful in other situations too. Let’s take a look at some other use cases for cherry-picking.

Backporting a fix

We can also use cherry-picking to backport a fix to a previous release branch. For example, let’s move our bugfix commit also to the v1-release.

To do so, first we need to look for the last release (v1). We can search for a specific commit hash, branch or tag name in the Git log (⌘ F on Mac or Ctrl+F on Windows/Linux).

IntelliJ IDEA Git log showing a pop-up to Enter hash or branch/tag name.
Search Git log for Hash/Branch/Tag

We can also filter commits in the commit log by branch, user, date or path. 

IntelliJ IDEA Git log showing the option to filter by branch, user, date or path
Filter by branch, user, date or path

To see which commits have not yet been applied to this branch, we can click View Options and select Highlight | Not Cherry-Picked Commits. We’ll compare with the new-feature branch. Commits that have already been applied to the current branch are greyed out.

IntelliJ IDEA Git log showing a context menu with Highlights | Not Cherry-Picked Commits selected
Select the Not Cherry-Picked Commits

When we select a commit, we can look at the information in the Commit Details area (at the bottom right) to make sure these are the changes we want to transfer to this branch. In the Commit Details area we can see which files were changed in a particular commit. We can right-click a file and select Show Diff from the context menu to open the changes that were made to that file.

IntelliJ IDEA Git log showing the details of a commit on the right.
Look at the details of a commit

If we are sure these are the changes we want, we can cherry-pick them to the previous release branch.

Cherry pick part of a commit

In the Commit details pane on the right, select the files containing the changes you want to apply to the target branch, right-click and select Cherry-Pick Selected Changes from the context menu.

IntelliJ IDEA Git log showing a context-menu with the option Cherry-Pick Selected Changes selected
Cherry-Pick Selected Changes

The cherry picked changes are transferred to the change list and we can commit them from there. 

IntelliJ IDEA Commit window with Changes selected to be committed.
Partial commit added to the Change List to be committed

Dealing with conflicts

So far, cherry picking went smoothly because there are no conflicting changes. What if there are conflicts?!

When we cherry-pick a commit that has conflicts with our current branch, the Merge Conflicts dialog opens.

IntelliJ IDEA Merge Conflict dialog with the options to Accept Yours, Accept Theirs or Merge
Merge Conflict

We can resolve the merge conflicts here. We want to keep some changes, and reject others.

IntelliJ IDEA Merge Conflict dialog with conflicts highlighted
Merge Conflicts dialog
IntelliJ IDEA Merge Conflict dialog with conflicts resolved and the option to Save changes and finish merging
Merge conflicts have been resolved

If you’re not able to resolve the merge conflicts, you can also abort the cherry pick.

IntelliJ IDEA Git log showing a notification that the Cherry-pick was performed with conflicts and a popup to Abort the Cherry-Pick
Abort Cherry-pick

Continue after cherry-picking

Once we’re done cherry-picking, we can go back to the “feature” branch. Since we haven’t pushed these changes yet, we can remove the commit from the feature branch by selecting Drop commit

IntelliJ IDEA Git log with a commit selected and a context-menu with the option to Drop Commit
Drop Commit

What if you have pushed the changes already? Then you might want to revert it on this branch instead. Right-click the commit and from the context menu select Revert Commit.

IntelliJ IDEA Git log with a commit selected and a context-menu with the option to Revert Commit
Revert Commit

Now we can continue working on the new feature!


Moving a commit to a different branch. Not nearly as scary as it sounds! Let the IDE help to turn this into a quick, low-stress task.

Cherry pick a commit to a different branch in any JetBrains IDE


Cherry pick a commit to a different branch

Oops, you committed your code to the wrong branch… You could redo the work, but you don’t want to! Luckily, the IDE can help you move your commit to a different branch. Use Git’s cherry-pick option from your IDE to move changes over to a different branch in a quick, low-stress way.

Cherry pick a commit to a different branch


The Art of Cherry Picking

Oops, you committed your code to the wrong branch… You could redo the work, but you don’t want to! Luckily, the IDE can help you move your commit to a different branch. Use Git’s cherry-pick option from your IDE to move changes over to a different branch in a quick, low-stress way.

The Art of Cherry Picking


Using bots to keep our dependencies up to date

Any real world Java project will likely use external dependencies. As we’ve seen over the last few years, it’s important to keep these dependencies up to date. We used to have to manually check for updates, but fortunately these days there are tools available that can help us with this. Because, let’s be honest, most developers don’t enjoy maintaining applications. We’d much rather be using cool new tools and/or language features, and solving interesting problems. Sorry, I mean: delivering business value! But we are responsible for keeping our dependencies up to date, so let’s make that as easy as possible. In this blog post we will look at one category of tools that can help us: bots that can automatically create pull requests (PRs) to keep dependencies secure and up to date. 

For Java, we currently have three options: Dependabot, Renovate and Snyk Open Source. They each support other programming languages too, but as I mostly use Java and other JVM languages I have limited myself to these. Let’s take a look at which features they provide and their similarities and differences.

Sidenote: In order to try out and compare these bots, I’ve added them one by one to my personal GitHub profile and will describe here how to add them to your GitHub profile, as well as link to information about other integration options.


The first bot we will look at is Dependabot. Since Dependabot is GitHub native, we can enable most of its features from the Settings > Security > Code security and analysis. Here we can enable (or disable) the available features, and select which ones we would like to automatically enable for new repositories. 

Dependabot settings on GitHub
Dependabot settings on GitHub


Dependabot offers the following features: Alerts, security updates and vulnerability updates. 

When Dependabot is enabled, it provides a Dependency Graph under the Insights tab of your project. The Dependencies tab shows any alerts to the owner of the repository. The Dependents tab shows any projects that depend on your project. In the Dependabot tab version updates can be configured.

When we enable Dependabot alerts, we will receive alerts for vulnerabilities in our repositories and we can manually generate pull requests (PRs) to resolve them. We can configure how we would like to receive these alerts. We can also view them in the Dependency Graph in the Dependencies tab.

GitHub project Insights tab with the Dependabot Dependencies graph Dependencies tab open and yellow alert stating We found potential security vulnerabilities in your dependencies.
Dependabot Dependencies graph

We can click the button to View Dependabot alerts to see more information about the alerts.

Details of Dependabot alerts on GitHub, listing several Critical updates
Dependabot alerts

Pull requests

When we enable Dependabot security updates, Dependabot will open pull requests (PRs) automatically to resolve vulnerabilities. These PRs provide information about the severity of the vulnerability, CVSS base metrics, and CVEs. We can hover over the CVSS base metrics and CVEs to get more information. We can review the changes, or dismiss the alert.

Dependabot pull request for a security update on jackson-databind with information about the vulnerabilities found.
Dependabot security update

To enable version updates, you need to add a dependabot.yml file to your repository.


In this configuration file, you need to provide the package manager, the directory that contains your manifest file and a scheduling interval (daily, weekly, or monthly). You can configure more options, like when it should be scheduled (date, time, timezone), the maximum number of PRs (the default is 5), rebase strategy, settings that can help you manage the PRs like target branch, assignees, reviewers, commit messages and labels, and more. For more information on configuration options, see the Dependabot documentation on configuration.


While Dependabot is GitHub native, it is possible to run it locally or on GitLab too. 


Like Dependabot, Renovate offers security updates and version updates. In addition, Renovate will also create a project dashboard listing all updates needed on a particular project.

Renovate is available on GitHub via a GitHub app. To configure Renovate for your GitHub account, go to Renovate allows you to set Repository access to either All repositories or Only select repositories. Renovate is the only one of these three options that allows you to try it out on only one repository first, so if you’ve never used one of these bots, I’d recommend starting with Renovate on one repository.

Install Renovate on your personal account with the option to select All repositories or Only select repositories.
Install Renovate

Renovate will create an onboarding pull request to the selected repositories. The onboarding PR contains basic configuration for Renovate to run. It describes the configuration in a Configuration Summary, and provides some information about What to Expect when the PR is merged (in this example, a list of PRs that will be opened).

Renovate onboarding PR with Configuration Summary
Renovate Onboarding PR
What to Expect section of Renovate's onboarding PR listing which PRs will be opened.
Renovate What to Expect
Renovate basic configuration
Renovate basic configuration

Note: These screenshots were taken from the PR created in September 2022. It may have changed since then.


Renovate offers additional configuration options. In addition to setting a maximum number of PRs, Renovate allows you to to set a maximum number of concurrent branches or even an hourly limit, which can help to keep the number of open PRs and branches manageable. Renovate also lets you configure when to rebase (or not), and settings to help you manage the PRs assignees, reviewers, commit messages, labels, and more. Overall, Renovate offers more configuration options, and these options are more fine-grained than Dependabot’s options.

For more information, see the Renovate documentation on configuration options.

Once the onboarding PR is merged and the configuration file is added to your repository, Renovate will start opening pull requests with updates on the selected repositories.

Renovate pull request for jackson-databind security update
Renovate pull request

Pull requests

These PRs contain information about the reason a PR was created including which package was updated, the current and new version, as well as the following information to help you decide whether or not to merge the PR and apply the update (apart from your build being green).

  • Age: The age of the package
  • Adoption: The percentage of this package’s users (within Renovate) which are using this release
  • Passing: The percentage of updates which have passing tests for this package
  • Confidence: The confidence level for this update

For more information, see the Renovate documentation on merge confidence.

Auto merging PRs

In addition, Renovate offers the option for rule based auto merging of PRs; a feature that lets you automate upgrading dependencies. When auto merging is enabled, Renovate tries to merge the proposed update once the tests pass. Renovate recommends that you enable auto merge only for any type of dependency updates which you would just merge anyway, and keeping auto merge disabled for updates where you want to review the release notes and/or code before merging. Of course, great test coverage is also very helpful here! Renovate is currently the only of these three options that offers this feature.


Finally, Renovate will add a Dependency Dashboard to your project, listing all Renovate updates and detected dependencies. This dashboard can be enabled or disabled as desired. 

GitHub project Issues tab with a Renovate Dependency Dashboard link
Renovate Dependency Dashboard
Renovate project Dashboard with a list of all outdated dependencies that can be updated.
Renovate project Dashboard

In addition, Renovate provides a general dashboard with all projects & jobs run, which you can find under if you have Renovate enabled.


Note: If you are not using GitHub, Renovate currently also supports other platforms. For more information, see the Renovate documentation on supported platforms.

Snyk Open Source

Snyk Open Source is available from Snyk. There are more steps to enable it for your GitHub Profile, but it also offers more features. To enable Snyk Open Source, go to and select Start free. You will need to Authorize snyk on your GitHub profile, select repository access (either Public and private repos or Public repos only), select other available features you want to use, and provide a Personal access token on GitHub.

Snyk Open Source website with the option to Start free
Snyk Open Source Start free


In addition to security updates, version updates, and dashboards, Snyk Open Source offers to test for new vulnerabilities and/or test for vulnerabilities in source code. These options are currently not offered by Dependabot or Renovate. As this blog post focussed on tools to help you detect possible vulnerabilities in your dependencies and automatically create PRs to upgrade them, we will not look at scanning the source code for vulnerabilities here.

Snyk Open Source screen to Select GitHub repository access for Public and private repos or Public repos only with additional features to select
Snyk Open Source GitHub repository access and additional features

Pull requests

When enabled, Snyk Open Source will open PRs on the selected repositories. These PRs also include information about the reason for the PR, severity of a vulnerability, priority score and why it has this score, details of the version upgrade (current and new version), and more.

Snyk Open Source pull request for jackson-databind with information about the vulnerability found.
Snyk Open Source pull request

By default, Snyk Open Source will combine related updates into one single PR to help reduce the noise. Dependabot does not currently offer this option, while Renovate can be configured to do something similar.

Snyk Open Source pull request that bundles several updates.
Snyk Open Source combined PR

Snyk Open Source also has the option to test for new vulnerabilities. When enabled, incoming PRs will be checked for known vulnerabilities to make sure that no known vulnerabilities are added to the code base. Dependabot and Renovate do not currently offer this feature.

GitHub screen saying All checks have passed including a Snyk Open Source security test has passed
Snyk Open Source security test on PRs


We can configure the frequency with which Snyk Open Source should run (daily, weekly, never). We can enable or disable scanning for new and/or known vulnerabilities, so we can clear our backlog of known vulnerabilities separately from making sure we don’t get any new vulnerabilities. This might help getting started with updating outdated dependencies without getting overwhelmed with too many updates. Dependabot and Renovate do not currently offer this option. Finally, we can also enable or disable PRs for a single project, so we can start using Snyk Open Source on a single project like we can with Renovate, but this is not a default option. 


The dashboards offered by Snyk Open Source are the most extensive of these three options. The dashboards provide an overview of known vulnerabilities found in your repositories with the number of vulnerabilities and their severity visible per project and overall.

Snyk Open Source Dashboard listing pending tasks and vulnerable projects and an issues summary, listing number and severity of vulnerabilities found.
Snyk Open Source Dashboard


You can use Snyk Open Source in the Snyk Web UI, with the Snyk CLI, in your IDE, or with an API. For more information, see the Snyk Open Source documentation.


As we have seen, the different bots offer different features. All of the options discussed here can automatically open pull requests for vulnerable dependencies and version upgrades. The information they provide with these PRs differs, as do the number and type of configuration options. Which bot is right for you will depend on needs and preferences.

Links / sources:

Using bookmarks in IntelliJ IDEA

In this blog post, we’re going to take a look at using bookmarks in IntelliJ IDEA. Bookmarks can come in handy while navigating a codebase, when you see something interesting that you want to come back to later. You could use Recent Files (⌘E on macOS, or Control+E on Windows/Linux) to find it, but then you have to remember which file it was. This is where bookmarks come in handy. Let’s take a look!

Add anonymous bookmarks

We can bookmark a line by pressing F3 (on macOS) or F11 (on Windows/Linux). This shortcut creates an anonymous line bookmark, marked with a Bookmark icon. If we don’t remember the shortcut, we can right-click the gutter next to the line of code we want to bookmark and select Add Bookmark.

Anonymous bookmark
Add bookmark from gutter menu

We can also bookmark files, packages, folders, and modules. We can open the Project Tool Window (⌘1 on macOS, or Alt+1 on Windows/Linux) and add an anonymous bookmark. We can use the shortcut (F3 on macOS, or F11 on Windows/Linux) or, we can also right-click the item we want to bookmark, and select Bookmarks | Add Bookmark. Note that anonymous bookmarks don’t have an identifier, and we can create as many anonymous bookmarks as we like.

Bookmark a project item

Add mnemonic bookmarks

We can also create bookmarks that are assigned to a digit (0 to 9) or letter (A to Z). To add a mnemonic line bookmark, press ⌥ F3 (on macOS) or Control+F11 (on Windows/Linux) and press the digit or letter to use as an identifier for this bookmark. Again, we can also or right-click the gutter next to the line of code that you want to bookmark and select Add Mnemonic Bookmark.

Add mnemonic bookmark menu

Optionally, we can provide a description for the new bookmark. We can double-click the digit or letter we want to assign.

Add mnemonic bookmark

Lines marked with mnemonic bookmarks have the corresponding digit or letter icon in a frame.

Mnemonic bookmark

If the selected digit or letter is already in use, IntelliJ IDEA will ask you whether you want to overwrite an existing bookmark with the new one. When we select the Don’t ask again option, the IDE will silently overwrite mnemonics.

Rewrite mnemonic

Navigate to bookmarks

There are several options to navigate to the bookmarks we have created.

Show line bookmarks

To see all line bookmarks that we have in the code, we can open the Bookmarks popup by pressing ⌘ F3 (on macOS) or Shift+F11 (on Windows/Linux) or go to Edit | Bookmarks | Show Line Bookmarks.

Show Line Bookmarks shortcut
Show Line Bookmarks menu

Notice that this list does not contain any project items like files or classes that we have bookmarked. In the Bookmarks popup, we can select the bookmark we want to navigate to, either with up and down arrows and pressing Return (on macOS) or Enter (on Windows/Linux), or by double-clicking it with our mouse. For mnemonic bookmarks, we can select the corresponding digit or letter.

Bookmarks popup

Jump to mnemonic bookmark

To jump straight to a mnemonic bookmark, hold ^ (on macOS) or Control (on Windows/Linux) and press the mnemonic digit or letter on the keyboard. This doesn’t work with anonymous bookmarks, but we can assign a mnemonic to an existing anonymous bookmark, either using the shortcut, or by clicking the bookmark in the gutter and selecting Assign Mnemonic. This works in the Bookmarks popup too!

Go to Bookmark
Assign Mnemonic

Bookmarks tool window

To see all our bookmarks, we can open the Bookmarks tool window by pressing ⌘ 2 (on macOS) or Alt+2 (on Windows/Linux), or by selecting View | Tool Windows | Bookmarks from the main menu.

Open Bookmarks tool window (shortcut)
Open Bookmarks tool window menu

IntelliJ IDEA adds your bookmarks to the predefined list in the Bookmarks tool window that is created automatically and has the same name as the project. In this example, multiple bookmarks in the same file are grouped together. We can also turn that off in the Options menu, by deselecting Group Line Bookmarks by File. As we can see, there are several other options as well. We won’t dive into all of them, but be aware there are some options you can configure to your liking.

Bookmark tool window options

Bookmark lists

Another option we do want to show you here is that you can create more lists. We can add a new list using the shortcut (⌘ N on macOS or Alt+Insert on Windows/Linux) or by clicking the Create Bookmark List button. We can add a name for the new list.

Create Bookmark List

If there are multiple lists, and we create a new bookmark, we can select which list to add it to in the Add Bookmark popup. We can also select the list to use as the default by checking the option Use as default list.

Select Bookmark List

In the Bookmarks tool window, we can move bookmarks to another list by dragging them to the other list. And we can sort bookmarks by selecting a bookmark and using Move down (⌥ ⌘ ↓ on macOS, or Control+Alt+↓ on Windows/Linux) or Move up (⌥ ⌘ ↑ on macOS, or Control+Alt+↑ on Windows/Linux).

Move down

Fun fact: The Bookmarks tool window also shows all breakpoints that are automatically added to the dedicated list once you place them in your code.


Bookmark editor tabs

Finally, we can also bookmark editor tabs. Click the  to the right of the tabs and select Bookmark Open Tabs. We can enter a name for this list in the Create Bookmark List popup.

Bookmark Open Tabs
Create Bookmark List popup

Summary and Shortcuts

As we’ve seen, bookmarks allow us to “save” certain interesting locations in the code base, so we can easily go back to them later. Now we know how to create bookmarks and how to navigate to bookmarks we have created.

IntelliJ IDEA Shortcuts Used

Here are the IntelliJ IDEA shortcuts that we used.

NamemacOS ShortcutWindows / Linux Shortcut
Recent files⌘ ECtrl+E
Open / Close Project Tool Window⌘ 1Alt+1
Add anonymous bookmarkF3F11
Add mnemonic bookmark F3Ctrl+F11
Open bookmarks popup⌘ F3Shift+F11
Jump to mnemonic bookmark^ + mnemonicCtrl+mnemonic
Open Bookmarks Tool Window⌘ 2Alt+2
Create Bookmark List⌘ NAlt+Insert
Move down⌥ ⌘ ↓Ctrl+Alt+↓
Move up⌥ ⌘ ↑Ctrl+Alt+↑
Shortcuts used

Related Links