add dependabot configuration

[yeikel]

See https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

[jponge]

Can we go to weekly instead of daily?

[vietj]

I do agree, this is aggressive.

can we configure to have a notification instead of opening a PR automatically ?

[yeikel]

Can we go to weekly instead of daily?

I updated the configuration to weekly.

I also suggest you to enable this from the repository settings :

See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

can we configure to have a notification instead of opening a PR automatically ?

We can do this but from what I understand it'll only send notifications for security updates. But I am not sure as I never used dependabot that way.

How about setting it to a lower limit like only one open at a time? Or simply just no limit at all?

The great thing about dependabot is that it creates PRs with labels, so if they create too much noise for us we can just filter them out

I also think it'll be beneficial for collaborators to know that there is pending PR with potential upgrades so that we can follow up. Otherwise only admins will know about them and it is possible that you'll miss them unintentionally

Additionally, in my opinion, it is better to have then there even if we don't action them immediately. Dependabot will keep the PRs updated and ready to be merged and that reduces the manual work involved(assuming there are no breaking changes of course). In past PRs that I contributed to this project, I had to go manually and update them. For example :

vert-x3/vertx-grpc#113 (comment)

Also, I tested it in my fork and we already have two upgrades that we could apply. As they are patches, we should be able to just merge them if all our checks pass :

[yeikel]

As a side note, I sent this same PR to most of the other modules, so when we agree in a configuration, I can update them

Thank you!

[yeikel]

@vietj @jponge

Could you please take a look at my comment above?

[vietj]

let me review the other config options before

[vietj]

I think we want at least to set a few dependencies we want to ignore like jackson or guava, because we update those and we are aware of CVEs related to them quickly. In addition such dependencies are never updated autoomatically in our stack because we want to do it at once otherwise it would create conflicts with transitive closure.

[vietj]

we just need to define the set of black listed dependabot dependencies here before and then you update this PR accordingly and update the other PR's

[vietj]

here is the start of a list of dependencies we want to exclude:

• guava
• jackson
• netty
• loggers

[yeikel]

here is the start of a list of dependencies we want to exclude:

* guava

* jackson

* netty

* loggers

@vietj I updated the configuration with your suggestions