CI Dependency Update Bot

Auto-PR for dependency updates.

Why an update bot

Dependencies rot continuously: security patches, performance fixes, deprecations all flow weekly. Manual updates lag by months because the work is tedious and skipped. An update bot opens PRs automatically and turns a quarterly slog into a steady stream.

• Dependencies rot continuously. Security patches, performance fixes, and deprecations flow weekly across the package ecosystem.
• Manual updates lag months behind. Tedious work that gets postponed; teams routinely run dependencies six months out of date.
• Bot options. Dependabot (built into GitHub), Renovate (more configurable), Snyk (security-focused); all open PRs automatically when updates are available.
• Named owner per bot. Maintaining team for the bot configuration; stale or noisy configs degrade trust and adoption.

Renovate as the default

Renovate is more configurable than Dependabot. Custom schedules, grouping rules, and auto-merge controls give you the policy expressiveness that team-scale repositories need.

• More configurable than Dependabot. Custom schedule, grouping, auto-merge controls per package or package family; the flexibility pays back at scale.
• Group minor updates. Batched weekly minor-and-patch PR per repo; one review covers many updates instead of dozens of separate PRs.
• Schedule by risk. Low-risk updates auto-merge when CI passes; major updates require review and possibly migration work.
• renovate.json per repo. Version-controlled config that lives alongside the code; supports normal change review without bot-side knobs.

Update policy

The update policy splits by semver tier. Patch versions auto-merge, minor versions batch weekly, major versions get individual PRs that may take a sprint to land.

• Patch versions: auto-merge. CI-passes auto-merge rule; low risk, high frequency, the bot handles it without human attention.
• Minor versions: weekly batch. Batched minor-and-patch PR reviewed by the service owner each week.
• Major versions: individual PR. Breaking-change-notes PR per major bump; may take an engineer a sprint to migrate.
• Documented exception list per policy. Special-handling packages (load-bearing libraries, frameworks under active migration) called out so the bot does not move them silently.

Security updates fast-track

Security updates run their own faster track. Same-day PR on advisory, auto-merge if tests pass, separate tracking dashboard so security PRs do not get lost in the dependency stream.

• Same-day PR per advisory. GitHub security advisories trigger immediate auto-PR; the gap between advisory and patch closes to hours.
• Auto-merge if tests pass. Test-suite gate per PR; fall back to fast manual review when tests cannot certify.
• Track open security PRs separately. Weekly open-PR audit; more than three open for over a week earns an escalation.
• Verify post-merge. npm audit, pip-audit, or cargo audit run after merge confirms the fix actually landed in the lockfile.

How to set this up

Setup needs three pieces: repo config, solid CI, quarterly policy review. Skip any one and the bot becomes a source of noise rather than a solution.

• renovate.json in the repo. Project-specific rules; the standard pattern for keeping bot config alongside the code it touches.
• CI must be solid. Auto-merge on broken CI defeats the entire point; flaky tests must be fixed before auto-merge is enabled.
• Quarterly review. Policy-tuning retrospective per quarter; adjust grouping and schedule based on what produced friction.
• Open-bot-PR dashboard per team. Team-level view of accumulating debt; without it, stale bot PRs become invisible technical debt.