deephaven / deephaven-core

Deephaven Community Core
Other
256 stars 80 forks source link

EPIC: Dependency management #5115

Open devinrsmith opened 9 months ago

devinrsmith commented 9 months ago

We'd like to better handle how we handle dependency version management.

Ideally, we'd have tooling that opened a PR to bump the relevant dependency version(s) automatically. To be able to do this, the tool needs to know a) what the versions are, b) lookup the latest version(s), and c) the semantics of the language/file to be able to create the proper diff.

Realistically, it may be good enough to have a tool that simply alerts us that we should update the version(s). This requires only a) and b).

Dependabot is able to open PRs in some cases it knows about; specifically in the case of deephaven-core, it recommends version bumps to GitHub Actions. It does not currently open PRs for version bumps for our gradle / java dependencies; likely, because it is a multi-module project, but even if it did, it would likely miss the swath of versions that are sourced from Classpaths.groovy. It's possible that if we upgraded to Gradle 8 and use more declarative versioning that Dependabot would be able to handle this.

https://github.com/renovatebot/renovate is also a tool that is in this realm.

There is also an aspect of security / vulnerability management that is related to dependency management.

As of https://github.com/deephaven/deephaven-core/pull/5086, GitHub does know about our direct and indirect gradle dependencies, and uses this for security notifications (but does not notify about normal version bumping afaict).

devinrsmith commented 9 months ago

There are also non-gradle dependencies that we may care about. Docker / docker-compose versions, python versions, testcontainers version, etc.

devinrsmith commented 8 months ago

deephaven-core dependabot config: https://github.com/deephaven/deephaven-core/blob/main/.github/dependabot.yml

https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates