Reconfigure renovate or add dependabot to make sure we get dependency PRs for known security vulnerabilities

[SmashingQuasar]

Thanks for stopping by to let us know something could be better!

Is your feature request related to a problem? Please describe.

When this package has a vulnerable dependency, contributors need to manually open a PR and an issue to upgrade said dependencies.

Describe the solution you'd like

Setting up an automated system such as DependaBot would signifiicantly increase the QoL for contributors and users. It would also save time and increase security.

Describe alternatives you've considered

Additional context

You can find a quickstart guide for DependaBot on Github Docs.

[leahecole]

Hey! So we actually use Mend renovate and have for a very long time! Agreed that automated dependency upgrades are the way to go. Here's an example PR from renovate. I was chatting with @sofisl though because I did see that in this particular case for grpc-js she updated the dependency manually as part of another cleanup and I wondered why an automated one didn't come in. I think that in this case, gax would have been pulling in the most recent version of grpc-js anyways during installation and it was within the range that we have configured under the hood for renovate. We do agree though, that we need to tweak things a bit to make sure that security vulnerability PRs get opened no matter what; that's a good shout. I'm going to modify the title of this to reflect that

[SmashingQuasar]

Hey! So we actually use Mend renovate and have for a very long time! Agreed that automated dependency upgrades are the way to go. Here's an example PR from renovate. I was chatting with @sofisl though because I did see that in this particular case for grpc-js she updated the dependency manually as part of another cleanup and I wondered why an automated one didn't come in. I think that in this case, gax would have been pulling in the most recent version of grpc-js anyways during installation and it was within the range that we have configured under the hood for renovate. We do agree though, that we need to tweak things a bit to make sure that security vulnerability PRs get opened no matter what; that's a good shout. I'm going to modify the title of this to reflect that

Hey!

Thanks for the detailed explanation, I appreciate it. :)
Any system works, indeed, DependaBot is just one of them.
In any case, thanks for the answer, I hope this will be implemented in the future so we don't have to worry too much about those vulnerabilities! ;)