This page will describe the ways in which Civiform maintainers manage, track, and update dependencies.
To view all dependencies, open an sbt shell using
bin/sbt, then run the
dependencyBrowseTreecommand. This will open up an HTML page displaying a searchable version of the complete Java dependency graph (including transitive dependencies).
Dependency updates are automated using RenovateBot. Some dependencies are updated individually, while other dependencies (like pac4j and fasterxml/jackson) are grouped and updated together. The
renovate.jsonfile at the root of the repo controls which dependencies are grouped together for updates. The
renovate.jsonfile is also where you can configure Renovate to ignore updates for specific dependencies.
A Renovate PR will look something like this:
Before merging a Renovate PR, you can check the adoption rate, age of the new dependency version, and Renovate's confidence that it won't break your build. You can also view the changelog between the current and new versions.
In general dependency updates for parts of the code base that are heavily tested (like Java code) are good to merge as long as tests pass, while updates to less thoroughly tested parts of the code (like Terraform code) should be handled with caution.