Setup dependabot for key dependenciesΒ #13232
Description
Done Criteria
Lotus has dependabot configured for critical dependencies so we proactively stay updated where it matters most.
Critical dependencies to proactively update with dependabot
@rvagg (and others) will fill this in:
- ipfs/boxo
- libp2p/go-libp2p
- filecoin-project/go-state-types
Why Important
We have a lot of technical debt regarding dependencies and adhoc best efforts when we feel like it haven't been effective enough. We get into positions where we need to update a dependency but then suffer the pain of having grown too far out date. The most recent example as of 2025-07-24 is #13197.
Not updating proactively has the impact of:
- Tasks requiring a dependency update can mushroom with unexpected work.
- We miss out on the security and performance improvements that have been shipped.
User/Customer
Maintainers
Notes
- This is taking a pragmatic approach. We're not going to blanket update all our dependencies. This will create too much noise. Instead, we'll focus on the most beneficial items (e.g., items that when released almost always involve bubbling up to Lotus anyways, items that are painful to get too far behind on).
- It's intended to scope / define this issue well so @copilot can take this on.
- Having a robust mechanism for all our dependencies is covered in Lotus has a mechanism to update dependenciesΒ #12227.