govuk-dependabot-merger: ADR 4: Ignore subdependencies
Date: 2023-11-17
Context
This ADR supersedes ADR 2, which argued that we should ignore any Dependabot PRs that bump allowlisted dependencies, if those PRs also bump subdependencies that are not on the allowlist.
In the first three months that this service was active, only one Dependabot PR satisfied that rule, and thus the service only auto-merged a single PR.
In practice, most PRs lump in a number of subdependency updates (see example). This is Bundler’s native behaviour when it updates a dependency. Bundler does allow a --conservative flag to bundle update <gem name> that prevents that, but there's currently no equivalent config option for Dependabot.
A Google document was written, explaining this issue and possible ways forward. It concluded that for the auto merger service to be at all useful, we'll need to relax the rules around subdependency updates.
Decision
We've dropped the rule that prevents subdependency bumps.
Consequences
This has already led to an immediate uptick in the number of PRs the auto merger will merge (see example).
This does introduce a small but acceptable attack vector, described further in the linked Google doc.