Dependency Updates
Overview
Our automated dependency updates are managed by Renovate Bot, which helps keep our dependencies current while minimizing disruption to the development workflow.
Configuration
The Renovate configuration extends several presets and includes custom rules:
Base Configuration
- Extends:
config:recommended- Provides sensible defaults by renovate for most projects - Security: Docker images and GitHub Actions are pinned to specific SHA digests for enhanced security
- Grouping: All non-major updates are grouped together to reduce PR noise
- Range Strategy: Dependencies are bumped to exact versions for consistency
- Internal Dependencies: Automatically updated across the monorepo
Update Policies
- Minimum Release Age: Updates wait 21 days after release before being proposed
- Dev Dependencies: Pinned to exact versions
- Reviewers: Automatically assigned from CODEOWNERS file (1 reviewer per PR)
Exclusions
@kit/*packages are disabled from automatic updates
Review Process
Automated PR Creation
- Renovate monitors for new dependency releases
- After the 21-day stabilization period, PRs are created
- Updates are grouped by type (non-major updates together)
- One reviewer is randomly selected from CODEOWNERS
Reviewer Responsibilities
The assigned reviewer should:
- Check Release Notes: Review changelog for breaking changes or important updates
- Verify CI Status: Ensure all tests and checks pass
- Test Locally (for major updates): Pull the branch and verify functionality
- Security Considerations: Pay special attention to security-related updates
Merge Guidelines
Non-Major Updates
- Can be merged after CI passes and basic review
- Grouped PRs reduce overhead
- Focus on CI status and any deprecation warnings
Major Updates
- Require thorough testing in development environment
- May need team discussion for significant changes
- Consider creating separate PRs for complex major updates
- Update documentation if APIs change
Security Updates
- Should be prioritized and merged promptly
- Override the 21-day waiting period if critical
- Notify team of urgent security patches
- Consider hotfix procedures for production systems
Configuration File Reference
The .renovaterc.json configuration includes:
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
"docker:pinDigests",
"helpers:pinGitHubActionDigests",
":configMigration",
":pinDevDependencies",
"group:allNonMajor",
"group:recommended"
],
"packageRules": [
{
"enabled": false,
"matchPackageNames": ["/^@kit//"]
}
],
"updateInternalDeps": true,
"rangeStrategy": "bump",
"reviewersFromCodeOwners": true,
"reviewersSampleSize": 1,
"minimumReleaseAge": "21 days"
}
Best Practices
- Regular Reviews: Don't let dependency PRs accumulate
- Changelog Reading: Always check what changed, especially for major versions
- Testing: Run local tests for significant updates
- Communication: Inform team about major dependency changes
- Security First: Prioritize security updates over feature updates
Troubleshooting
Common Issues
- Failing CI: Check if the update introduces breaking changes
- Merge Conflicts: Rebase or use Renovate's rebase checkbox
- Incompatible Updates: May need to update multiple dependencies together
Manual Intervention
Sometimes manual updates are needed when:
- Dependencies have complex interdependencies
- Major version requires code changes
- Renovate is unable to resolve version conflicts