Skip to content

chore: add Dependabot config for automated dependency updates across pip, npm, and Docker#7274

Open
prabinoid wants to merge 1 commit into
developfrom
chore/7183-dependabot-updates
Open

chore: add Dependabot config for automated dependency updates across pip, npm, and Docker#7274
prabinoid wants to merge 1 commit into
developfrom
chore/7183-dependabot-updates

Conversation

@prabinoid

Copy link
Copy Markdown
Collaborator

What type of PR is this? (check all applicable)

  • 🍕 Feature
  • 🐛 Bug Fix
  • 📝 Documentation
  • 🧑‍💻 Refactor
  • ✅ Test
  • 🤖 Build or CI
  • ❓ Other (please specify)

Describe this PR

Re-introduces Dependabot after it was removed previously due to excessive PR noise. Root causes are fixed this time.

Why it failed before:

  • Daily schedule → 30–50+ PRs/week
  • No grouping → every package = its own PR
  • Scanned full lockfile (~1,400 transitive deps) instead of direct deps only

What changed:

  • Weekly schedule (Monday 09:00 UTC) instead of daily
  • allow: direct on pip and npm — only updates packages in pyproject.toml / package.json, not the entire lockfile
  • Smart groups — related packages bundle into one PR (e.g. all 9 @turf/* → 1 PR)
  • Covers 4 ecosystems: Python, npm/yarn, Dockerfiles, docker-compose images
  • GitHub Actions intentionally disabled — action bumps can silently break workflow inputs in ways CI can't catch; too risky with 10+ workflows

Expected output: ~3–6 PRs/week (down from 30–50+)

@sonarqubecloud

Copy link
Copy Markdown

@prabinoid prabinoid requested a review from spwoodcock June 23, 2026 11:45
@ramyaragupathy ramyaragupathy requested review from dakotabenjamin and spwoodcock and removed request for spwoodcock June 25, 2026 04:04
@spwoodcock

Copy link
Copy Markdown
Member

Renovate is more modern, powerful, and cross-platform:
https://docs.renovatebot.com/bot-comparison/

We use renovate for FieldTM, and the plan was to roll out to other tools - apologies I didn't have time to document that in the HOT tech decisions section.

Renovate would be preferred if possible (to reduce github vendor lock), if its not too much hassle to change.

But as you have already done the work configuring this, I'm not opposed to keeping dependabot either 👍

@spwoodcock

Copy link
Copy Markdown
Member

Just added this! https://docs.hotosm.org/decisions/0012-dependency-refresh/

renovate is basically just a json file and enabling the renovate bot in github.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants