Add dependabot

[lucacome]

Adds dependabot to keep all the dependencies up to date.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lucacome
Once this PR has been reviewed and has the lgtm label, please assign jpbetz for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @lucacome!

It looks like this is your first PR to kubernetes-sigs/yaml 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/yaml has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[skitt]

Hi @lucacome, thanks for your contribution. We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy; @liggitt do you know if we have anything written down?

[lucacome]

We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy

Why is that? It doesn't seem very safe to have outdated dependencies. I've also added dependabot to a few kubernetes repos already...

[skitt]

We generally don’t want automated dependency bump PRs in Kubernetes, so I don’t think dependabot would be appropriate. I can’t find documentation on this policy

Why is that? It doesn't seem very safe to have outdated dependencies. I've also added dependabot to a few kubernetes repos already...

Not having automated dependency bump PRs isn’t the same as having outdated dependencies.

Others in k8s-code-organization have more experience of this than me, but I see several concerns with automated bump PRs (in Kubernetes):

• in many cases, bumps need to be coordinated across repositories for best effect
• different repositories have different base assumptions (for example the Go language level across branches — k/k has one per branch, k8s.io/utils has only one branch but needs to support older k/k branches), which sometimes conflict with the first point
• many, many projects depend on k/k, directly or indirectly, so bumps can have a large impact
• many bumps are of no practical consequence and should be skipped, that’s harder to do in practice with automated bumps (bumps to new releases where the only changes are upstream project CI, code comments etc.)
• dependabot doesn’t know about k/k’s release cycle

I also think library-type projects have different requirements in terms of dependencies compared to directly-consumable projects. It makes sense to me for library-type projects to be conservative in their dependencies, to avoid forcing their users to upgrade other parts of the dependency tree quicker than strictly necessary; whereas end-user-facing projects (projects that build binaries or container images for direct consumption) might want to stay closer to the latest available releases of their dependencies. Keeping older library dependencies might seem dangerous, but there have been several cases in k/k where a dependency introduced bugs which didn’t affect “smaller” repositories in the Kubernetes project but affected k/k — so bumping them in the library project meant that k/k itself couldn’t bump the library dependency, even though the dependency bump in the library was artificial (not mandated by the library requiring new features in the dependency).

In this particular project, there are only two dependencies, both only used for test code.