Dependency update runbook¶
Use this for routine updates or vulnerability-driven dependency changes.
Dependabot opens routine update pull requests for the ecosystems configured in
.github/dependabot.yml. Treat those pull requests as the default path for
routine dependency maintenance unless a security fix or compatibility issue
needs a manual update sooner.
Steps¶
- Identify whether the dependency is runtime, development, Node, or GitHub Actions tooling. For Dependabot pull requests, confirm that the ecosystem, labels, and changed files match the update described in the pull request.
- Update the declaration in the appropriate file.
-
Refresh locks:
uv lock npm installUse only the command that matches the changed ecosystem.
-
Run focused checks:
make deps make audit npm audit --audit-level=moderate -
Run full validation:
make check -
If the update can affect supported Python behavior, run:
make test-matrix -
Add a changelog entry when users or maintainers should know.
For Dependabot pull requests, steps 2 and 3 are usually already done by the bot. Do not merge until CI passes and the diff is limited to the expected manifests, lockfiles, workflow files, or devcontainer files.
Dependabot-specific handling¶
- Check the pull request title and labels. Expected labels are
dependenciesandmaintenance, with ecosystem-specific labels when useful. - Review release notes for major updates, security updates, build backends, pytest, pytest-benchmark, Ruff, basedpyright, uv, and GitHub Actions.
- Let CI complete. If CI fails, reproduce locally with the command reported by the failed job.
-
For Python updates that touch supported-version behavior, run:
make test-matrix -
Merge only after a human review. Auto-merge is intentionally not part of the baseline policy.
Manual Dependabot maintenance¶
If Dependabot becomes noisy, lower the relevant open-pull-requests-limit, add
or adjust groups, or temporarily set that ecosystem's limit to 0. If
Dependabot misses an ecosystem, confirm the manifest location and package
ecosystem value in .github/dependabot.yml.
If an update fails¶
Pin or revert the problematic update, record the reason in the pull request, and open a follow-up issue if the update is security-relevant.