## Done Criteria ref-fvm has dependabot configured for critical dependencies so we proactively stay updated where it matters most. ### Critical dependencies to proactively update with dependabot @rvagg (and others) will fill this in: - wasmtime ## Why Important Some of our dependencies like `wasmtime` have important security fixes but also take a lot of time to upgrade because of the manual time going through all their changes and ensuring no performance regressions. Proactively being notified of new versions helps prevent getting forced into taking a bigger task at an undesired time. In addition, there are some dependencies we control that we always want to stay current with. We likely made a change in them with the intent of bubbling up to ref-fvm. This work saves time with some automation. ## User/Customer Maintainers ## Notes 1. This is taking a pragmatic approach. We're not going to blanket update all our dependencies. This will create too much noise. Instead, we'll focus on the most beneficial items (e.g., items that when released almost always involve bubbling up to ref-fvm anyways, items that are painful to get too far behind on). 2. It's intended to scope / define this issue well so @copilot can take this on. 3. Having a robust mechanism for all our dependencies is covered in https://github.com/filecoin-project/lotus/issues/12227.