Skip to main content

8. Dependency auto-merge policy

Date: 2023-02-27

Status

Proposed

Context

Renovate, the dependency management tool we use in Sirius, offers lots of configuration options. The most pertinent to this ADR are:

  • Grouping dependency upgrades into a single PR, either by language, directory, semver level or package name
  • Automatically merging dependency upgrade PRs if pipeline checks pass
  • Ignoring dependency upgrades until a certain number of days has passed
  • Creating PRs to refresh a lockfile’s state (i.e. upgrading all transitive dependencies)

Decision

We’re proposing to trial an approach of:

  1. Ignore dependencies until they are at least 3 days old
    • This gives us time to delay in case a release is identified as mistaken, malicious or damaging
  2. Do not create lockfile refresh PRs
    • We should only upgrade transitive dependencies if required by a direct dependency or to patch a security vulnerability
    • Additionally, lockfile update PRs cannot ignore upgrades so would violate the “3 days old” rule
  3. Group patch/minor upgrades into one PR
    • Combining these into one PR reduces noise and build costs
  4. Automatically merge the patch/minor upgrade PR in repositories that we feel have adequate test coverage
    • If our tests pass then there is no further testing that we would reasonably expect to do
    • In repositories that have variable test coverage, we will further divide the patch/minor upgrade PR by directory and/or language so that the well-covered areas can be automatically merged
  5. Create individual PRs for each major upgrade and require manual approval
    • Major upgrades to direct dependencies require more careful manual review
    • They often require changes to our code so should be handled individually unless specifically grouped (e.g. Renovate groups all angular dependencies as they are simultaneously released)

Consequences

These changes should require less input from developers, as they will only need to review major upgrades, and minor/patch upgrades which fail to build.

It introduces some risk as patch/minor upgrades will be merged without manual review, but this is mitigated by our tests and by ensuring updates are at least 3 days old.

This page was last reviewed on 10 December 2024. It needs to be reviewed again on 10 June 2025 by the page owner #opg-sirius-develop .
This page was set to be reviewed before 10 June 2025 by the page owner #opg-sirius-develop. This might mean the content is out of date.