Decision Use Renovate for third-party dependency updates
acceptedRenovate supports automatic updates across a wide variety of ecosystems ensuring our projects are secure and up to date.
Decision
Projects will use Renovate to keep third-party dependencies up to date.
Drupal projects will use the following as their initial configuration file:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"group:drupal-core",
"group:symfony",
":enableVulnerabilityAlerts"
],
"composerIgnorePlatformReqs": ["php", "ext-*", "lib-*"],
"lockFileMaintenance": {
"enabled": true
},
"rangeStrategy": "bump",
"packageRules": [
{
"matchPackageNames": ["lullabot/drainpipe", "lullabot/drainpipe-dev"],
"groupName": "Drainpipe packages"
}
],
"ignorePaths": [
"**/node_modules/**",
"**/bower_components/**",
"**/vendor/**",
"**/examples/**",
"**/__tests__/**",
"**/tests/**",
"**/__fixtures__/**"
]
}Non-Drupal projects will use the following as their initial configuration:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base",
":enableVulnerabilityAlerts"
],
"lockFileMaintenance": {
"enabled": true
},
"rangeStrategy": "bump"
}Consequences
In comparison to other tools like Pantheon Autopilot, a pull-request centric workflow with automated tests and peer review will ensure that updates meet quality guidelines and are safe to deploy to production.
Major dependency upgrades, such as upgrading Drupal, will be easier because sites will already be fully up to date before starting an upgrade.
On projects with adequate test coverage, teams may decide to automatically merge some updates, especially those only used for development purposes. Those teams will need to additionally set up Renovate Approve.
Some teams may be overwhelmed by the number of dependency updates created by Renovate. Those teams may need to use Renovate's configuration options to group updates together, or reduce the number of third-party dependencies used to a manageable number.