Over the time a pile of dependency updates accumulated in our repositories. We should investigate and discuss how we want to handle these updates of our dependencies.
From https://phabricator.wikimedia.org/T310592 decided on the following process:
Lets try to resolve our update backlog. Current plan is that each change should result in a newly deployed image if it touches production code. If it is only a test dependency this is not needed.
The developer should check the tests pass, read the release notes and if anything looks "suspicious" test it manually (locally for example). If it does cause a regression a test should be added, the regression resolved and then it should be deployed.
As part of this ticket, also include the process of how to tackle updates per sprint (e.g. 5 updates per sprint, timebox etc...)
- Agree on and document the process for resolving the Dependabot PRs