1618282 - (updatebot) [meta] Automatic Updating of Dependencies

Status: NEW

(Developer Infrastructure :: Mach Vendor & Updatebot, enhancement)

Description

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

This bug tracks the development of a system to detect when updates are available to dependencies, file a bug, apply them to m-c, submit it to try, attach a patch, follow up on the try results and either flag the patch for review or test failures or similar for investigation.

Comment 1

[Sylvestre Ledru [:Sylvestre]]

Here is what renovate produces:
https://github.com/sylvestre/gecko-dev/pull/21

Comment 2

[Mitchell Hentges [:mhentges] 🦀]

Chatted with Tom over Zoom:

• UpdateBot will (at least for Python) manage a list of dependencies that it cares about being up-to-date - it isn't going to publish updates for all out-of-date packages.
• It would be a good idea for Mach developers and the security team to meet in the middle: Mach should expose an interface to update a specific package wherever its used, regenerate lockfiles, update vendored packages, and so on, and UpdateBot can just interface with this and then run the tasks that it wants to.
• I've attached a new blocking bug: Mach is currently undergoing some tweaks to allow separate distinct sets of dependencies for different Mach commands. This work affects Python dependency management, so we'll defer UpdateBot's integration with Python until after this Mach work is complete.

Comment 3

[Mihai Tabara [:mtabara]⌚️GMT]

Found in triaging, 302 to the appropriate component. Please let me know if there's anything I may have missed.