Issue: #1613
Last Updated: 2026-03-11
RustChain uses GitHub Dependabot to automate dependency updates across multiple ecosystems. This document outlines the configuration, update policy, and operational guidelines.
Dependabot is configured via .github/dependabot.yml. The configuration covers:
| Ecosystem | Directories | Schedule | PR Limit |
|---|---|---|---|
| pip (Python) | /, /tests, /sdk/python, /integrations/mcp-server, /rustchainnode |
Weekly (Monday 06:00 UTC) | 2-5 per directory |
| cargo (Rust) | /rustchain-wallet, /rips |
Weekly (Tuesday 06:00 UTC) | 2-3 per directory |
| npm (Node.js) | /contracts/erc20, /onboard, /react-native-wallet, /snap, /solana |
Weekly (Wednesday 06:00 UTC) | 2-3 per directory |
| github-actions | / |
Weekly (Thursday 06:00 UTC) | 5 |
Dependencies are grouped to reduce PR noise:
- python-security: All security updates (priority)
- python-dev-dependencies: Minor and patch version updates
- rust-security: All security updates (priority)
- rust-minor-patch: Minor and patch version updates
- npm-security: All security updates (priority)
- npm-production: Production dependencies (minor/patch)
- npm-development: Development dependencies (minor/patch)
- github-actions: All action version updates
| Priority | Type | Action Required |
|---|---|---|
| Critical | Security updates with known CVEs | Review and merge within 48 hours |
| High | Security updates (no active exploit) | Review and merge within 7 days |
| Medium | Minor version updates | Review within 14 days |
| Low | Patch version updates | Review within 30 days |
- Security Updates: Always prioritize. Check linked CVE details.
- Breaking Changes: Review changelogs for major version updates.
- Test Coverage: Ensure CI passes before merging.
- Dependency Chains: Watch for cascading updates.
- Automerge: Patch updates with passing CI may be auto-merged (if enabled)
- Manual Review: Minor/major updates require maintainer approval
- Blocked PRs: Add
dependencies blockedlabel if update causes issues
To add Dependabot coverage for a new directory:
-
Ensure the directory contains a valid manifest file:
- Python:
requirements.txtorpyproject.toml - Rust:
Cargo.toml - Node.js:
package.json
- Python:
-
Add a new entry to
.github/dependabot.yml:
- package-ecosystem: "pip" # or "cargo", "npm"
directory: "/path/to/directory"
schedule:
interval: "weekly"
day: "monday"
time: "06:00"
timezone: "UTC"
open-pull-requests-limit: 3- Test configuration with Dependabot preview (if available)
- Check
open-pull-requests-limit- may be at capacity - Verify manifest file is valid and parseable
- Ensure directory path is correct (must be absolute from repo root)
- Review changelog for breaking changes
- Check if dependency requires lockfile update
- Test locally before merging
Add an ignore block to skip specific dependencies:
- package-ecosystem: "pip"
directory: "/"
ignore:
- dependency-name: "package-name"
versions: ["1.x", "2.x"]To update only specific version ranges:
- package-ecosystem: "npm"
directory: "/"
groups:
stable-updates:
patterns:
- "*"
update-types:
- "patch"- Supply Chain: Dependabot helps mitigate supply chain risks by keeping dependencies current
- CVE Monitoring: Security updates are prioritized and grouped separately
- Review Required: All updates should be reviewed before merging to production
- GitHub Dependabot Docs
- SECURITY.md - Security policy and reporting
- CONTRIBUTING.md - Contribution guidelines
This configuration should be reviewed quarterly to:
- Add new directories as the project grows
- Adjust schedules based on team capacity
- Update groupings based on PR volume
For questions about dependency management or Dependabot configuration, open a GitHub issue or contact the maintainers.