[Suggestion] Use Dependabot (or similar) for managing outdated dependencies

[sdimkov]

I notice that handling outdated dependencies and security fixes of third parties occurs manually. If we observe the commit history of Cargo.lock, we shall see these manual commits that do "bulk" update of many dependencies in one commit usually labeled "third_party: upgrade rust crates".

Manual bulk commits in my view is not the best way to handle this for two reasons:

• Doing this manually results in Deno staying insecure for any third party vulnerability until someone notices
• Doing this in batched commits leaves poorer commit history.

What I suggest? - Just use a modern service that handles outdated dependencies and creates automatic PRs for you. Specifically, I recommend using Dependabot. It is owned by GitHub, completely free and fully automatic.

Once added to the repository (which is a matter of few mouse clicks and 0 code), you will start getting PRs with details on what changed in the dependency and whether is a security fix etc, the PRs are maintained up-to-date and conflict-free by the bot. Checkout their website for feature details and how it works.

[tunnckoCore]

If you are going to consider, better start considering @renovatebot (I'm not in any kind connected with them, just it's tons better and freaking love it). I still don't get why GitHub acquired @dependabot and why is that hype around it in last half a year or so. The only thing I can think of why it's "better" is that it has "10 years of security advisory data", which... isn't that important, in my opinion, because you can have automated upgrading of dependencies and if you configure it to be daily or something like that, everything is okay in security standpoint.

(Renovate is also fully open source and written in JavaScript, also you can spawn your own hosted one)

[kt3k]

@sdimkov We use the special repository deno_third_party for storing the actual dependency files, and we use the special script //tools/sync_third_party.py for updating deno_third_party. I think this is very different from the way normal JavaScript or Rust projects handle thier dependencies. Is it possible to configure dependabot to understand this very special situation?

[ry]

Our dependencies are fairly complex and cannot be managed automatically.

Deno is not a typical Rust crate, nor a typical Node module. It is a standalone runtime.

[sdimkov]

@kt3k @ry thanks for your answers! I guess I overlooked the git submodules with 3rd parties. In this custom context neither @dependabot, nor @renovatebot would work out-of-the-box.

I still think that my comment is valid that this manual process is suboptimal. @ry do you see value in a tool which automates it partially in some way? (For example by creating PRs in both deno and deno_third_party)