Use dependency bot

[zekth]

Currently we are maintaining a set of libraries which have dependencies.
Maintaining everything up to date and out of security vulnerability would be quite a mess to do it manually.

I suggest we use Renovate which supports all the language we support.

wdyt?

[jorgelob]

I believe Github also offers Dependabot?

…

On Tue, Dec 12, 2023 at 4:58 AM Vìncent Le Goff ***@***.***> wrote: Currently we are maintaining a set of libraries which have dependencies. Maintaining everything up to date and out of security vulnerability would be quite a mess to do it manually. I suggest we use Renovate <https://docs.renovatebot.com/> which supports all the language we support. wdyt? — Reply to this email directly, view it on GitHub <#40>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A7F2PF4M6W5CVYBM7IOWCODYJBIGDAVCNFSM6AAAAABARNXOLCVHI2DSMVQWIX3LMV43ASLTON2WKOZSGAZTONZQGE3TAMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

-- *Jorge Vivas* Staff Engineer *Growth & Core* lob.com <http://www.lob.com>

[zekth]

dependabot doesn't offer simple strategies regarding to multi languages / grouping etc.
Renovate is free, simpler and more performant from my experience. Easy to setup and offer a simple dashboard also.
One example of what we built at Kong : https://github.com/Kong/public-shared-renovate

[jorgelob]

Appreciate the explanation... You are right, I forgot about the multi-language support from dependabot. I am not opposed to try it out.

…

On Tue, Dec 12, 2023 at 8:46 AM Vìncent Le Goff ***@***.***> wrote: dependabot doesn't offer simple strategies regarding to multi languages / grouping etc. Renovate is simpler and more performant from my experience. Easy to setup and offer a simple dashboard also. One example of what we built at Kong : https://github.com/Kong/public-shared-renovate — Reply to this email directly, view it on GitHub <#40 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A7F2PF2XK54WYL6DEZYAGM3YJCC7ZAVCNFSM6AAAAABARNXOLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJSGQYTQNBVGI> . You are receiving this because you commented.Message ID: ***@***.***>

-- *Jorge Vivas* Staff Engineer *Growth & Core* lob.com <http://www.lob.com>

[tasn]

I'm up for either. No strong opinion either way.

[tasn]

@zekth, I don't remember, did we manage to set it up? I remember we had issues.

[zekth]

I ll have a retry run but it was acting weirdly. I think we can setup dependabot in backup solution but renovate is more convenient.

[tasn]

@zekth, I think it's maybe still too aggressive? Should we maybe only tell it to upgrade on security issues?

[zekth]

We were really out of date on many deps, i created one PR to adress the grouping of javascript which is mostly the most noisy ecosystem: #96

Currently the configuration ignores the PATCH and runs weekly. I expect it to be less noisy now that everything has been updated.