deps: Add dependabot.yml

[phlax]

Signed-off-by: Ryan Northey [email protected]

Commit Message: deps: Add dependabot.yml
Additional Description:

adds a dependabot.yml file to ensure all deps are monitored/updated

Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue] Fix #15628
[Optional Deprecated:]
[Optional API Considerations:]

[phlax]

@moderation this adds a dependabot.yml with all the requirements.txt that i found

not sure if we need to add some stanzas for other languages

[phlax]

also worth mentioning - i think this will create a waterfall of PRs !!!

[phlax]

the other thing im thinking is that we might want to add some ci to ensure that all requirements.txt (or similar) are added

[moderation]

It might trigger an avalanche of PRs but once we fix up the deps it shouldn't be high volume after that (famous last words).

[phlax]

checking whether dependabot can analyze bazel deps (not sure about our bazel setup specifically) there is a ticket for it but not atm support i think dependabot/dependabot-core#2196

[phlax]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Check envoy-presubmit didn't fail.

🐱

Caused by: a #15651 (comment) was created by @phlax.

see: more, trace.

[mattklein123]

Thanks this is great. Do we have any way of making sure this stays up to date?

/wait-any

[phlax]

i can add now/after lmk what you would prefer - ill update it now and await a green light from @moderation

i think the bigger issue to landing this is more when @moderation is ready to deal with the fallout - theres gonna be quite a lot of PRs i think

[mattklein123]

OK SGTM. I think it's fine, we can deal with the PR fallout. It's the right thing to do. Thank you!

/wait

[phlax]

either way i added a ticket re CI - so we can land this and deal with that after if thats how it happens #15665

[moderation]

LGTM and I think after catching up it shouldn't be too frequent. One thing I thought was interesting was that Dependabot raised PRs for Jinja but ignored everything else. Using docs/requirements.txt as an example, what we currently have is:

Babel==2.8.0 \
certifi==2020.6.20 \
chardet==3.0.4 \
GitPython==3.1.8 \
packaging==20.4 \
Pygments==2.7.1 \
pytz==2020.1 \
requests==2.24.0 \
snowballstemmer==2.0.0 \
sphinx-copybutton==0.3.0 \
sphinx-rtd-theme==0.5.0 \
sphinx-tabs==1.3.0 \
Sphinx==3.2.1 \
urllib3==1.25.10 \

What is current:

Babel==2.9.0 \
certifi==2020.12.5 \
chardet==4.0.0 \
GitPython==3.1.12 \
packaging==20.9 \
Pygments==2.7.4 \
pytz==2021.1 \
requests==2.25.1 \
snowballstemmer==2.1.0 \
sphinx-copybutton==0.3.1 \
sphinx-rtd-theme==0.5.1 \
sphinx-tabs==2.0.0 \
Sphinx==3.4.3 \
urllib3==1.26.3 \

[mattklein123]

OK LMK what you want. Merge this or wait?

[moderation]

Merge 🚀

[moderation]

Boom!