DEP-002 recommended dependency-management

Dependency update system configured

Dependabot, Renovate, or documented manual process for tracking updates

Question to ask

"Who's watching for new vulnerabilities — a person or a bot?"

Verification guide

Severity: Recommended

Check automatically:

  1. Look for Dependabot config:

    ls -la .github/dependabot.yml .github/dependabot.yaml 2>/dev/null

  2. Look for Renovate config:

    ls -la renovate.json renovate.json5 .renovaterc .renovaterc.json .github/renovate.json 2>/dev/null

  3. If found, verify config covers the project:

    # Check Dependabot covers the right ecosystem
cat .github/dependabot.yml 2>/dev/null | grep -E "package-ecosystem|directory"

# Check Renovate is enabled
cat renovate.json 2>/dev/null

  4. Check for recent dependency update PRs (evidence it's working):

    gh pr list --state all --limit 20 --json title,createdAt | grep -iE "(dependabot|renovate|bump|update.*dependencies)"

Cross-reference with:

  • DEP-001: If lockfile is fresh and no vulnerabilities, the system is likely working

Pass criteria:

  • Dependabot or Renovate configured, OR
  • Evidence of regular manual dependency updates (recent PRs, fresh lockfile)

Fail criteria:

  • No automated system AND no evidence of manual updates
  • Config exists but is broken/incomplete (wrong ecosystem, wrong directory)

If no config found, ask user: "No Dependabot or Renovate config found. How are dependency updates tracked? Is there a manual process?"

Evidence to capture:

  • Which system configured (Dependabot/Renovate/manual)
  • Config file location
  • Recent dependency update PRs (last 3 months)

Section

02. Dependencies & Code Quality

Infrastructure & Setup

← Previous

DEP-001

Dependencies secure and maintained

 Next →

DEP-003

No deprecated or unmaintained libraries