Configure Dependabot security updates?

[marianafranco]

Dependabot can notify of insecure or old library versions, helping to keep dependencies up-to-date.

I have a private fork of 1.21.3 in which dependabot is complaining of some old dependencies.

Why?

Pros:

• Notifies of newer library versions (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates) - by notifications or creates an automated PR. This helps keeping up with the latest versions, which in some degree may bring in bug fixes/security updates/improvements/etc.
• Notifies of insecure library versions (https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) - helps detecting if there are any security issues with any of the libraries.

Cons:

• More noise from the bot (depends on how you configure it).

Examples from other open source projects:

• Enable Dependabot for etcd if we see a good fit etcd-io/etcd#14673
• Allow dependabot to check go modules ingress-nginx#6873
• enable dependabot prometheus/prometheus#9722

[jbartosik]

Thats too little information. Please provide some more details.

[marianafranco]

@jbartosik I updated the description and added example of open source projects that have decided to enable it.

[jbartosik]

Thanks.

@mwielgus @gjtempleton what do you think?

[gjtempleton]

Hey @marianafranco,

Thanks for the suggestion.

There's some potential complexities with our repo setup (particularly in the CA), given we've now started to vendor cloud-provider specific dependencies in not through go.mod files or similar (e.g. the AWS-sdk-go), so I worry we might end up giving ourselves a false sense of security in some regards, though maybe Dependabot can be configured to deal with that?

I certainly see no harm in enabling it for the VPA as an initial evaluation given it doesn't have some of the same issues as the CA if you have no objection to it @jbartosik?

[sanmai-NL]

Why Dependabot over Renovate?