Page MenuHomePhabricator

Investigate handling/guideline for dependency updates
Open, Needs TriagePublic1 Estimated Story Points


Over the time a pile of dependency updates accumulated in our repositories. We should investigate and discuss how we want to handle these updates of our dependencies.

From decided on the following process:

Lets try to resolve our update backlog. Current plan is that each change should result in a newly deployed image if it touches production code. If it is only a test dependency this is not needed.

The developer should check the tests pass, read the release notes and if anything looks "suspicious" test it manually (locally for example). If it does cause a regression a test should be added, the regression resolved and then it should be deployed.

As part of this ticket, also include the process of how to tackle updates per sprint (e.g. 5 updates per sprint, timebox etc...)


  • Agree on and document the process for resolving the Dependabot PRs

Event Timeline

We seem to have some kind of plan for this; let's just make time to discuss how we want to work on this going forwards

Evelien_WMDE set the point value for this task to 1.

I created a spreadsheet to categorize those PRs. We can keep track of them and see what we should pick to update.

Step-by-step instruction to resolve a dependabot PR:

  1. comment @dependabot rebase in the PR to rebase.
  2. Resolve failed checks and rebase again if necessary.
  3. Confirm all checks passed, read release notes, test again locally/manually if necessary
  4. Deploy under new image for production dependencies, skip for test dependencies

Looks like a nice sheet! did you make it by hand?

I think a follow-up bit of this ticket is to think about how we are going to *keep* things up to date; we might want to think about when and how we want to update this sheet; when and how often we want to act on it etc.

dang removed dang as the assignee of this task.Nov 2 2022, 2:02 PM
dang added a subscriber: dang.

Yes I made it by hand. I thought there are just a few, I couldn't imagine the list is gonna be this long. But yeah I thought automating it to "keep things up to date" is not worth the effort but I don't know how to keep it up to date except paying attention to github emails.

Cool! Makes some sense to me; do you think we could "in principle" start working on these now? Would we want to track the progress in phbaricator in some way? I did see the phab column in the sheets.

My initial thought was to use the Phabricator column for the phabricator link of the update. We can start now but I need some thought and ideas from @Rosalie_WMDE and @Deniz_WMDE as well.

I like that the spreadsheet gives a good overview, but I also wonder how we can avoid too much manual effort to maintain it...

Another idea that comes to my mind is, maybe we could create a bot that creates a phab task for a new dependabot PR, maybe with its own tag or column?

And to tame them in general we could agree to pull a bunch of them into a sprint every 4 weeks or so.

What do you think?

I like the idea of a bot creating a phabricator ticket for dependabot PRs.

I certainly like the idea of creating tickets; a bot or some automated way to manage this would be extra nice.