automatic dependency updates

The GSoC project to update all core libraries is a great idea and effort :slight_smile:

Once it is completed we should continuously update our dependencies. This ensures core is free from known vulnerabilities and benefits from the latest features of its dependencies. Another important aspect is that it should be easier for us to do major version updates of dependencies as we are not far behind.

GitHub has integrated dependabot which monitors our dependencies and creates PRs to update them.

It was already enabled in openmrs-core for security alerts and updates. You might have already seen the warning at


It monitors our dependencies and if they show up in any known vulnerabilities database.

I enabled dependabot to also update dependencies when there are new versions.

There are quite a few configuration options

like the maximum number of PRs should it have open at a time (default is 5), or if it should assign any reviewers. I tried this by assigning /dev/5 members, which can be expanded to other teams or individuals.

You can see the first PRs here

the PRs are labeled with dependencies and the package type

By default it targets the master branch. We might need to add any other branch that is still supported so any updates and security updates so get applied to it. For example not only the upcoming 2.4 since master is getting updated, but also 2.3.


great work, thanks @teleivo

The PRs even show the release notes and commits that come with the updated library. the commit includes a link to the release notes

See for example




@teleivo can we apply it to the other Modules like FHIR ,WebREST etc …

1 Like

Thats awesome @teleivo , wel done

Interesting feature thanks @teleivo for great work

definitely :slight_smile:


well done @teleivo

Thank again @teleivo for the tremendous amount of effort that you are putting in all this! :slight_smile:


great work :smiley:

An important thing we can do to help us and dependabot is to use properties in our pom that hold versions of libraries that need to be kept in sync. This is valuable for manual and automatic updates.

For example spring is split into lots of different libraries that one can pick and choose. We do need to ensure that they are all on the same version as they are also released together (at least as far as I know).

So we have a springVersion like here

This is reused in the individual dependency declarations in the pom.xml This then also let’s dependabot create a single PR & commit that updates them together as you can see at

1 Like

So its been a while now that we are using dependabot in openmrs-core on the master branch. From my point of view it is working well: continuously creating PRs for updates while respecting the major versions of for example spring, hibernate, lucene we need to stick to. It also adds the dev-5 team as reviewers into the PR which notifies us of an update/PR.

QUESTION: Does it make sense to add the dev-4 github team into the dependabot reviewers? They have the write role on GitHub so should be able to merge these PRs. This would increase the potential reviewers and hopefully take some work of @dkayiwa which I see mostly merging them. If I don’t hear any meaningful objections I will add them.

ACTION/VOLUNTEER: is anyone interested in adapting the dependabot.yml for the other active branches? Actively maintained openmrs versions should also receive automatic version updates while respecting their particular major version requirements.