Open Bug 1618282 (updatebot) Opened 2 years ago Updated 16 days ago

[meta] Automatic Updating of Dependencies


(Developer Infrastructure :: Mach Vendor & Updatebot, enhancement)

Not set


(Not tracked)


(Reporter: tjr, Assigned: tjr)


(Depends on 11 open bugs)


(Keywords: meta)

This bug tracks the development of a system to detect when updates are available to dependencies, file a bug, apply them to m-c, submit it to try, attach a patch, follow up on the try results and either flag the patch for review or test failures or similar for investigation.

Depends on: 1699448
Depends on: 1699453
Depends on: 1699457
Depends on: 1714156
Depends on: 1714686
Depends on: 1716398

Chatted with Tom over Zoom:

  • UpdateBot will (at least for Python) manage a list of dependencies that it cares about being up-to-date - it isn't going to publish updates for all out-of-date packages.
  • It would be a good idea for Mach developers and the security team to meet in the middle: Mach should expose an interface to update a specific package wherever its used, regenerate lockfiles, update vendored packages, and so on, and UpdateBot can just interface with this and then run the tasks that it wants to.
  • I've attached a new blocking bug: Mach is currently undergoing some tweaks to allow separate distinct sets of dependencies for different Mach commands. This work affects Python dependency management, so we'll defer UpdateBot's integration with Python until after this Mach work is complete.
Depends on: 1712131
Depends on: 1720704
Depends on: 1729456
Depends on: 1730394
Depends on: 1731594
Depends on: 1741872

Found in triaging, 302 to the appropriate component. Please let me know if there's anything I may have missed.

Assignee: nobody → tom
Component: General → Mach Vendor & Updatebot
Product: Release Engineering → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.