We'd like to better handle how we handle dependency version management.
Ideally, we'd have tooling that opened a PR to bump the relevant dependency version(s) automatically. To be able to do this, the tool needs to know a) what the versions are, b) lookup the latest version(s), and c) the semantics of the language/file to be able to create the proper diff.
Realistically, it may be good enough to have a tool that simply alerts us that we should update the version(s). This requires only a) and b).
Dependabot is able to open PRs in some cases it knows about; specifically in the case of deephaven-core, it recommends version bumps to GitHub Actions. It does not currently open PRs for version bumps for our gradle / java dependencies; likely, because it is a multi-module project, but even if it did, it would likely miss the swath of versions that are sourced from Classpaths.groovy. It's possible that if we upgraded to Gradle 8 and use more declarative versioning that Dependabot would be able to handle this.
There is also an aspect of security / vulnerability management that is related to dependency management.
As of https://github.com/deephaven/deephaven-core/pull/5086, GitHub does know about our direct and indirect gradle dependencies, and uses this for security notifications (but does not notify about normal version bumping afaict).
We'd like to better handle how we handle dependency version management.
Ideally, we'd have tooling that opened a PR to bump the relevant dependency version(s) automatically. To be able to do this, the tool needs to know a) what the versions are, b) lookup the latest version(s), and c) the semantics of the language/file to be able to create the proper diff.
Realistically, it may be good enough to have a tool that simply alerts us that we should update the version(s). This requires only a) and b).
Dependabot is able to open PRs in some cases it knows about; specifically in the case of deephaven-core, it recommends version bumps to GitHub Actions. It does not currently open PRs for version bumps for our gradle / java dependencies; likely, because it is a multi-module project, but even if it did, it would likely miss the swath of versions that are sourced from Classpaths.groovy. It's possible that if we upgraded to Gradle 8 and use more declarative versioning that Dependabot would be able to handle this.
https://github.com/renovatebot/renovate is also a tool that is in this realm.
There is also an aspect of security / vulnerability management that is related to dependency management.
As of https://github.com/deephaven/deephaven-core/pull/5086, GitHub does know about our direct and indirect gradle dependencies, and uses this for security notifications (but does not notify about normal version bumping afaict).