We don't use it at enterprise level, because a simple merge can embed bugs/malware/... for that we prefer to use the good old boyscout mode, when a developer fixes/adds a feature on a project, he must also update dependencies and test.
doesn't that just result in things never getting updated? in mise I bump all of the dependencies on every release so it doesn't pollute the commit history. I still use renovate, but just so I can see if MV bumps fail the test suite—I never merge the PRs.
If a project is alive, it will be updated at least once a month, but if a major security issue appears between two updates, we force developers to update the project.
Comments