Skip to main content

014 - Use Dependabot to manage dependency updates

Date: 2020-12-05

Status

✅ Accepted

Context

Both Renovate Bot and Dependabot are being used in our repository to manage dependency updates. This is leading to conflicts where both tools create separate pull requests (PRs) for the same dependencies, resulting in unnecessary duplication and management overhead.

Decision

To use Dependabot, as its better suited for GitHub-based projects due to its simplicity, native integration, and focus on security, and temporarily disable renovate bot.

Currently, Dependabot targets:

  • “bundler”, which is used for managing Ruby dependencies. Dependabot will check for updates in the root directory (“/”) on a daily basis.
  • “terraform”, with updates being checked in the “/terraform” directory daily.
  • “github-actions”, which manages GitHub Actions workflows. Updates will be checked in the root directory (“/”) daily.
  • “pip”, used for Python dependencies. Dependabot will check for updates in the root directory (“/”) daily.
  • “npm”, which manages JavaScript dependencies. Updates will be checked in the root directory (“/”) daily.

Alternative Considerations:

Renovate Bot

Renovate bot targeting dependencies from the “terraform-module” and “terraform-provider” in the repositories have been temporarily disabled

  • ‘ministryofjustice/network-access-control-infrastructure’,
  • ‘ministryofjustice/nvvs-devops-github-actions’,
  • ‘ministryofjustice/staff-device-dns-dhcp-infrastructure’,
  • ‘ministryofjustice/staff-device-shared-services-infrastructure’,
  • ‘ministryofjustice/staff-infrastructure-network-services’,
  • ‘ministryofjustice/staff-technology-services-github-teams’
This page was last reviewed on 5 December 2024. It needs to be reviewed again on 5 June 2025 by the page owner #nvvs-devops .
This page was set to be reviewed before 5 June 2025 by the page owner #nvvs-devops. This might mean the content is out of date.