Skip to content

Set up automatic PRs to bump dependencies #443

@leonm1

Description

@leonm1

Our manual dependency management is a security risk and a maintenance burden.

  1. Configure RenovateBot (compatible with Bazel WORKSPACE files) for this repository to automatically create PRs for dependency updates.

  2. Review all dependency URLs to ensure they use stable, versioned links that are compatible with Renovate's automated parsing.

  3. Address the OpenSSF Scorecard findings in #425

Notably, I do not think we should create a rotation for dependency management. It is better for two people to have strong ownership than to delegate to a rotation which does not have strong incentive to prioritize dependency management.

We will need some way to manage dependencies which do not use a tags for versioning.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions