diff --git a/app/Main.hs b/app/Main.hs
index 48476f3..fa9e510 100644
--- a/app/Main.hs
+++ b/app/Main.hs
@@ -10,6 +10,7 @@ import qualified Data.Text as T
 import qualified Data.Text.IO as T
 import DeleteMerged (deleteDone)
 import Git
+import qualified GitHub as GH
 import NVD (withVulnDB)
 import qualified Nix
 import qualified Options.Applicative as O
@@ -134,19 +135,19 @@ main = do
   hSetBuffering stderr LineBuffering
   command <- O.execParser programInfo
   ghUser <- getGithubUser
-  token <- getGithubToken <|> undefined
+  token <- fromMaybe "" <$> getGithubToken
   P.setEnv "GITHUB_TOKEN" (T.unpack token) True
   P.setEnv "GITHUB_API_TOKEN" (T.unpack token) True
   P.setEnv "PAGER" "" True
   case command of
     DeleteDone delete -> do
-      Git.setupNixpkgs token
+      setupNixpkgs $ GH.untagName ghUser
       deleteDone delete token ghUser
     Update UpdateOptions {pr, cve, nixpkgsReview, outpaths, attrpathOpt} update -> do
-      Git.setupNixpkgs token
+      setupNixpkgs $ GH.untagName ghUser
       updatePackage (Options pr False ghUser token cve nixpkgsReview outpaths attrpathOpt) update
     UpdateBatch UpdateOptions {pr, cve, nixpkgsReview, outpaths, attrpathOpt} update -> do
-      Git.setupNixpkgs token
+      setupNixpkgs $ GH.untagName ghUser
       updatePackage (Options pr True ghUser token cve nixpkgsReview outpaths attrpathOpt) update
     Version -> do
       v <- runExceptT Nix.version
@@ -155,17 +156,17 @@ main = do
         Right t -> T.putStrLn t
     UpdateVulnDB -> withVulnDB $ \_conn -> pure ()
     CheckAllVulnerable -> do
-      setupNixpkgs undefined
+      setupNixpkgs $ GH.untagName ghUser
       updates <- T.readFile "packages-to-update.txt"
       cveAll undefined updates
     CheckVulnerable productID oldVersion newVersion -> do
-      setupNixpkgs undefined
+      setupNixpkgs $ GH.untagName ghUser
       report <-
         cveReport
           (UpdateEnv productID oldVersion newVersion Nothing (Options False False ghUser token False False False False))
       T.putStrLn report
     SourceGithub -> do
       updates <- T.readFile "packages-to-update.txt"
-      setupNixpkgs token
+      setupNixpkgs $ GH.untagName ghUser
       sourceGithubAll (Options False False ghUser token False False False False) updates
     FetchRepology -> Repology.fetch
diff --git a/doc/batch-updates.md b/doc/batch-updates.md
index 756f81b..07b269b 100644
--- a/doc/batch-updates.md
+++ b/doc/batch-updates.md
@@ -7,7 +7,12 @@ subcommand.
 
 1. Setup [hub](https://github.com/github/hub) and give it your GitHub
    credentials, so it saves an oauth token. This allows nixpkgs-update
-   to query the GitHub API.
+   to query the GitHub API.  Alternatively, if you prefer not to install
+   and configure `hub`, you can manually create a GitHub token with
+   `repo` and `gist` scopes.  Provide it to `nixpkgs-update` by
+   exporting it as the `GITHUB_TOKEN` environment variable
+   (`nixpkgs-update` reads credentials from the files `hub` uses but
+   no longer uses `hub` itself).
 
 2. Clone this repository and build `nixpkgs-update`:
     ```bash
diff --git a/doc/interactive-updates.md b/doc/interactive-updates.md
index 24c8bd1..3ad754c 100644
--- a/doc/interactive-updates.md
+++ b/doc/interactive-updates.md
@@ -10,9 +10,8 @@ nixpkgs-update supports interactive, single package updates via the
    and configure `hub`, you can manually create a GitHub token with
    `repo` and `gist` scopes.  Provide it to `nixpkgs-update` by
    exporting it as the `GITHUB_TOKEN` environment variable
-   (`nixpkgs-update` _only_ tries to use `hub` to check out the
-   `nixpkgs` repo into your XDG cache directory, if you run
-   `nixpkgs-update` outside of a `nixpkgs` checkout directory).
+   (`nixpkgs-update` reads credentials from the files `hub` uses but
+   no longer uses `hub` itself).
 2. Go to your local checkout of nixpkgs, and **make sure the working
    directory is clean**. Be on a branch you are okay committing to.
 3. Run it like: `nixpkgs-update update "postman 7.20.0 7.21.2"`
diff --git a/pkgs/default.nix b/pkgs/default.nix
index aa068b9..1161c0a 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -12,7 +12,6 @@ let
   drvAttrs = attrs: with pkgs; {
     NIX = nix;
     GIT = git;
-    HUB = gitAndTools.hub;
     JQ = jq;
     TREE = tree;
     GIST = gist;
diff --git a/src/Git.hs b/src/Git.hs
index 262a3b1..3daa921 100644
--- a/src/Git.hs
+++ b/src/Git.hs
@@ -34,12 +34,10 @@ import qualified Data.Vector as V
 import Language.Haskell.TH.Env (envQ)
 import OurPrelude hiding (throw)
 import System.Directory (doesDirectoryExist, doesFileExist, getModificationTime, getCurrentDirectory, setCurrentDirectory)
-import System.Environment (getEnv)
 import System.Environment.XDG.BaseDir (getUserCacheDir)
 import System.Exit()
 import System.IO.Error (tryIOError)
 import System.Posix.Env (setEnv)
-import qualified System.Process.Typed
 import Utils (Options (..), UpdateEnv (..), branchName, branchPrefix)
 
 bin :: String
@@ -48,12 +46,6 @@ bin = fromJust ($$(envQ "GIT") :: Maybe String) <> "/bin/git"
 procGit :: [String] -> ProcessConfig () () ()
 procGit = proc bin
 
-hubBin :: String
-hubBin = fromJust ($$(envQ "HUB") :: Maybe String) <> "/bin/hub"
-
-procHub :: [String] -> ProcessConfig () () ()
-procHub = proc hubBin
-
 clean :: ProcessConfig () () ()
 clean = silently $ procGit ["clean", "-fdx"]
 
@@ -156,19 +148,15 @@ nixpkgsDir = do
 -- Since we are going to have to fetch, git reset, clean, and commit, we setup a
 -- cache dir to avoid destroying any uncommitted work the user may have in PWD.
 setupNixpkgs :: Text -> IO ()
-setupNixpkgs githubt = do
+setupNixpkgs ghUser = do
   fp <- nixpkgsDir
   exists <- doesDirectoryExist fp
   unless exists $ do
-    path <- getEnv "PATH"
-    procHub ["clone", "nixpkgs", fp]
-      & System.Process.Typed.setEnv -- requires that user has forked nixpkgs
-        [ ("PATH" :: String, path),
-          ("GITHUB_TOKEN" :: String, githubt & T.unpack)
-        ]
+    procGit ["clone", "--origin", "upstream", "https://github.com/NixOS/nixpkgs.git", fp]
       & runProcess_
     setCurrentDirectory fp
-    shell (bin <> " remote add upstream https://github.com/NixOS/nixpkgs")
+    procGit ["remote", "add", "origin", "https://github.com/" <> T.unpack ghUser <> "/nixpkgs.git"]
+      -- requires that user has forked nixpkgs
       & runProcess_
   inNixpkgs <- inNixpkgsRepo
   unless inNixpkgs do
diff --git a/src/Utils.hs b/src/Utils.hs
index f29b0f5..24cd434 100644
--- a/src/Utils.hs
+++ b/src/Utils.hs
@@ -297,12 +297,12 @@ hubConfigField field = do
               token = T.takeWhile (/= '\n') $ head (drop 1 splits)
           return $ Just token
 
-getGithubToken :: IO Text
+getGithubToken :: IO (Maybe Text)
 getGithubToken = do
   et <- envToken
   lt <- localToken
   ht <- hubConfigField "oauth_token: "
-  return $ fromJust (et <|> lt <|> ht)
+  return (et <|> lt <|> ht)
 
 getGithubUser :: IO (GH.Name GH.Owner)
 getGithubUser = do