We use the Renovate GitLab Bot to automatically create merge requests for updating (some) Node and Ruby dependencies in several projects. You can find the up-to-date list of projects managed by the renovate bot in the project’s README.
Some key dependencies updated using renovate are:
We have the goal of updating all dependencies with renovate.
Updating dependencies automatically has several benefits, have a look at this example MR.
- MRs are created automatically when new versions are released.
- MRs can easily be rebased and updated by just checking a checkbox in the MR description.
- MRs contain changelog summaries and links to compare the different package versions.
- MRs can be assigned to people directly responsible for the dependencies.
It is okay to reject Community Contributions that solely bump dependencies. Simple dependency updates are better done automatically for the reasons provided above. If a community contribution needs to be rebased, runs into conflicts, or goes stale, the effort required to instruct the contributor to correct it often outweighs the benefits.
If a dependency update is accompanied with significant migration efforts, due to major version updates, a community contribution is acceptable.
Here is a message you can use to explain to community contributors as to why we reject simple updates:
Hello CONTRIBUTOR! Thank you very much for this contribution. It seems like you are doing a "simple" dependency update. If a dependency update is as simple as increasing the version number, we'd like a Bot to do this to save you and ourselves some time. This has certain benefits as outlined in our <a href="https://docs.gitlab.com/ee/development/fe_guide/dependencies.html#updating-dependencies">Frontend development guidelines</a>. You might find that we do not currently update DEPENDENCY automatically, but we are planning to do so in [the near future](https://gitlab.com/gitlab-org/frontend/rfcs/-/issues/21). Thank you for understanding, I will close this Merge Request. /close