Automated dependency updates¶

Context and Problem Statement¶

Updating dependencies of a component is a repetitive and sometimes cumbersome task that tends to be postponed.

Postponing, and in the worst-case updating the dependencies manually, leads to several problems.

Deferring and skipping updates accumulates technical debt. In addition, it becomes an extraordinary task to update a dependency. In the end, it could happen that we either cannot fix security vulnerabilities in time or are using most of our capacity to update dependencies.

Our goal, therefore, is to make updating a dependency a non-event. It should be automated as much as possible and we don`t want to build up technical debt by postponing required adaptations.

Decision Drivers¶

• Automatic dependency updates are supported for various package system
• Tool supports git repositories hosted in GitLab
• Semantic Versioning is supported by the tooling
• The solution is in line with Smart Infrastructure Grid Software tooling

Considered Options¶

• Renovate Bot
• Dependabot

Decision Outcome¶

Chosen option: "Renovate Bot" because,

• It is better integrated into GitLab. It supports all the languages that we currently require.
• In addition, changelogs can be generated automatically when following these rules.

Consequences¶

• The merge request about onboarding the Renovate Bot MUST be accepted.
• Automatically created dependency update merge request MUST be reviewed and accepted regularly.