Bot to update dependencies

[ivnsch]

https://dependabot.com, https://www.whitesourcesoftware.com/free-developer-tools/renovate/ ?

Ideally it should be configurable for larger spaced intervals (monthly, biweekly?) and be batched to keep impact on history limited.

[ivnsch]

It seems that dependabot doesn't support batched updates (dependabot/dependabot-core#1190). @manuelmauro would you like to try out renovate? It can be installed here: https://github.com/marketplace/renovate

[ivnsch]

For the record, the default renovate configuration isn't batched and we're not sure yet how to group our dependencies, and since it requires additional setup and registration, trying out dependabot first.

@manuelmauro we've only 4 PRs (instead of the 16 with renovate), assume we get new PRs later? Should we maybe do this first upgrade manually, since we're very outdated, and use the bot for later upgrades?

[manuelmauro]

I tried to run dependabot again, but no new PRs. Not sure why, the hard limit in the config file is 10 PRs.

[ivnsch]

It seems that dependabot is doing updates only for incompatible versions, which is more inline with cargo's versioning system: cargo install and cargo update will pull the most recent compatible versions of our dependencies, making it unnecessary to update the cargo.toml for this.

The only case where the later seems to make sense, is when users use cargo update -p (in which case the transitive dependencies are not updated) and we are using a new feature of the dependency, which would break the user's build. The more robust renovate's default config would prevent this, but this seems to be an edge case and since the user is intentionally disabling the transitive update, I'm ok ignoring this for now.

As a side note, in the future we probably should use rebase and merge instead of the regular merge for updates that don't require fixes, to have only one history entry per update.