CI Dependency Update Bot

Auto-PR for dependency updates.

Why an update bot

Dependencies rot. Security patches, performance fixes, deprecations.

Without automation, updates lag by months. Manual updates are tedious and skipped.

Bots: Dependabot, Renovate, Snyk. All open PRs automatically when updates are available.

Renovate as the default

More configurable than Dependabot. Custom schedules, grouping, auto-merge rules.

Group updates: all minor patch updates in one weekly PR. Major updates in individual PRs.

Schedule: low-risk updates auto-merge if CI passes. Major updates require review.

Update policy

Patch versions: auto-merge if CI passes. Low risk, high frequency.

Minor versions: weekly batch PR. Reviewed by service owner.

Major versions: individual PR with breaking change notes. May take a sprint to land.

Security updates fast-track

GitHub security advisories trigger same-day PRs. Auto-merge if test suite passes; fall back to fast review.

Track open security PRs. Above 3 open for over a week, escalate.

Verify with `npm audit`, `pip-audit`, `cargo audit` post-merge to confirm fix landed.

How to set this up

Renovate config in repo. `renovate.json` with project-specific rules.

CI pipeline must be solid; auto-merge on broken CI defeats the purpose.

Quarterly review of update policy. Adjust grouping and schedule based on what worked.