Dependency update policy documented

Why it matters

Without automated dependency update tooling, dependency updates are deferred indefinitely until a breaking version or security incident forces a painful large-batch upgrade. CWE-1104 and SSDF SP 800-218 PW.4.4 identify stale dependencies as a supply-chain risk. Projects that skip minor versions for 12+ months accumulate multiple breaking changes between their installed version and the current release, turning a routine update into a multi-day migration. Dependabot and Renovate send small, reviewable PRs that keep the gap manageable.

Remediation

Add Dependabot to get automated weekly PRs for outdated dependencies. Create .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      dev-dependencies:
        patterns: ["@types/*", "eslint*", "prettier*", "vitest*"]

Alternatively, Renovate (free for public and private repos) offers more granular configuration including auto-merge for patch updates. Both tools are zero-maintenance once configured.

Detection

ID: code-quality-essentials.dependencies.update-policy
Severity: info
What to look for: Check for automated dependency update configuration. Look for: renovate.json or .renovaterc in the project root (Renovate Bot), .github/dependabot.yml (GitHub Dependabot). These tools open pull requests automatically when dependencies release new versions, keeping the project from falling far behind and accumulating security debt. Without automation, dependency updates are typically deferred indefinitely until a breaking version or security incident forces a large painful upgrade. Also look for a documented manual update policy in CONTRIBUTING.md or README.md.
Pass criteria: Enumerate all relevant code locations. Renovate or Dependabot is configured, OR a documented manual update schedule exists with at least 1 verified location.
Fail criteria: No automated dependency update tool configured and no documented update policy.
Skip (N/A) when: Not a Node.js project.
Detail on fail: "No dependency update automation (Dependabot/Renovate) configured; dependencies may fall out of date"

Remediation: Add Dependabot for automated PR creation:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      dev-dependencies:
        patterns: ["@types/*", "eslint*", "prettier*", "vitest*"]

Or use Renovate for more configuration options. Both are free for public and private repos with GitHub Actions.

Why it matters

Remediation

Add Dependabot to get automated weekly PRs for outdated dependencies. Create .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      dev-dependencies:
        patterns: ["@types/*", "eslint*", "prettier*", "vitest*"]

Alternatively, Renovate (free for public and private repos) offers more granular configuration including auto-merge for patch updates. Both tools are zero-maintenance once configured.

Detection

ID: code-quality-essentials.dependencies.update-policy
Severity: info
What to look for: Check for automated dependency update configuration. Look for: renovate.json or .renovaterc in the project root (Renovate Bot), .github/dependabot.yml (GitHub Dependabot). These tools open pull requests automatically when dependencies release new versions, keeping the project from falling far behind and accumulating security debt. Without automation, dependency updates are typically deferred indefinitely until a breaking version or security incident forces a large painful upgrade. Also look for a documented manual update policy in CONTRIBUTING.md or README.md.
Pass criteria: Enumerate all relevant code locations. Renovate or Dependabot is configured, OR a documented manual update schedule exists with at least 1 verified location.
Fail criteria: No automated dependency update tool configured and no documented update policy.
Skip (N/A) when: Not a Node.js project.
Detail on fail: "No dependency update automation (Dependabot/Renovate) configured; dependencies may fall out of date"

Remediation: Add Dependabot for automated PR creation:

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      dev-dependencies:
        patterns: ["@types/*", "eslint*", "prettier*", "vitest*"]

Or use Renovate for more configuration options. Both are free for public and private repos with GitHub Actions.

Dependency update policy documented

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Dependency update policy documented

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History