Add dependabot.yml to monitor outdated dependencies #647
Conversation
Signed-off-by: Craig Perkins <[email protected]>
cwperks
requested review from
khushbr,
ansjcy,
sbcd90,
Shephalimittal,
nishchay21,
rramachand21,
psychbot and
Gaganjuneja
as code owners
|
@Gaganjuneja Can we add this in as well? Dependabot makes maintainers lives a lot easier by watching for outdates dependencies proactively and using automation to create version bump PRs. |
Thanks @cwperks. Do we have this in OpenSearch core? Need to understand if this is approved to be used? |
|
@Gaganjuneja Yes, dependabot is widely used across repositories in the OpenSearch project. Its used in core, plugin repos and other repos as well. It works with many dependency management systems including gradle like this repo uses. Example config in security plugin: https://github.com/opensearch-project/security/blob/main/.github/dependabot.yml Core's config: https://github.com/opensearch-project/OpenSearch/blob/main/.github/dependabot.yml |
|
Main advantage of dependabot is proactive security fixes. W/o automated updates, usually it takes a scan of the built plugin zip file to see if there are any known CVEs that impact any of the jars. Dependabot does the heavy lifting by checking maven to see if new versions of a dep are available and makes a PR to update the dep. This configuration does minor + patch updates, but does not explicitly perform major version updates of deps since those often require additional changes. Its a similar config used across many repos in the project. |
Is your feature request related to a problem? Please provide an existing Issue # , or describe.
Adds dependabot.yml to run on a weekly basis to monitor for outdated dependencies in this repo.
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.