Currently we are maintaining a set of libraries which have dependencies.
Maintaining everything up to date and out of security vulnerability would be quite a mess to do it manually.

I suggest we use Renovate which supports all the language we support.

wdyt?

dependabot doesn't offer simple strategies regarding to multi languages / grouping etc.
Renovate is free, simpler and more performant from my experience. Easy to setup and offer a simple dashboard also.
One example of what we built at Kong : https://github.com/Kong/public-shared-renovate

I'm up for either. No strong opinion either way.

@zekth, I don't remember, did we manage to set it up? I remember we had issues.

I ll have a retry run but it was acting weirdly. I think we can setup dependabot in backup solution but renovate is more convenient.

@zekth, I think it's maybe still too aggressive? Should we maybe only tell it to upgrade on security issues?

We were really out of date on many deps, i created one PR to adress the grouping of javascript which is mostly the most noisy ecosystem: #96

Currently the configuration ignores the PATCH and runs weekly. I expect it to be less noisy now that everything has been updated.