Fallout-build/Fallout

Add Dependabot (or Renovate) for dependency updates

Open

#6 aperta il 18 mag 2026

Vedi su GitHub
 (0 commenti) (0 reazioni) (0 assegnatari)C# (1 fork)github user discovery
good first issuetarget/2026

Metriche repository

Star
 (43 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Why

Part of the enterprise-grade supply-chain story. Manual NuGet dependency tracking is a non-starter for a project with ~30 direct deps + hundreds of transitives, and the recent CVE-2026-33116 / Scriban incident showed vulnerable deps land on develop and sit until someone notices.

Scope

  • Decide: Dependabot vs Renovate. Dependabot is simpler and GitHub-native; Renovate is more powerful (grouping, schedule, custom managers) but needs an app install. Default: Dependabot for speed-to-value; revisit Renovate if grouping/scheduling becomes a problem.
  • Configure for: nuget (Directory.Packages.props), github-actions (.github/workflows/*.yml), and the dotnet SDK version (global.json).
  • Schedule: weekly bundled PRs by ecosystem; daily for security advisories.
  • Auto-merge: not initially. Triage manually until the CI release pipeline is trustworthy.

Done when

  • .github/dependabot.yml (or renovate.json) committed
  • First batch of update PRs landed
  • Decision documented in CLAUDE.md / docs

Related: enterprise CI/CD positioning.

Guida contributor