The GSoC project to update all core libraries is a great idea and effort
Once it is completed we should continuously update our dependencies. This ensures core is free from known vulnerabilities and benefits from the latest features of its dependencies. Another important aspect is that it should be easier for us to do major version updates of dependencies as we are not far behind.
GitHub has integrated dependabot which monitors our dependencies and creates PRs to update them.
It was already enabled in openmrs-core for security alerts and updates. You might have already seen the warning at
It monitors our dependencies and if they show up in any known vulnerabilities database.
I enabled dependabot to also update dependencies when there are new versions.
There are quite a few configuration options https://docs.github.com/en/github/administering-a-repository/configuration-options-for-dependency-updates#assignees
like the maximum number of PRs should it have open at a time (default is 5), or if it should assign any reviewers. I tried this by assigning /dev/5 members, which can be expanded to other teams or individuals.
You can see the first PRs here
the PRs are labeled with dependencies and the package type
By default it targets the master branch. We might need to add any other branch that is still supported so any updates and security updates so get applied to it. For example not only the upcoming 2.4 since master is getting updated, but also 2.3.