### Problem While GitLab is largely considered a monolith, there are many projects outside of the monolith which have a dependency on each other and on the monolith and vice versa. Each of these projects also use many third-party languages/tools/dependencies(e.g. Docker). Managing these dependencies is a challenge to ensure there are no inadvertent breaking changes by updating one component while not updating the other. This issue is primarily restricted in scope for the Runner projects. At the time of writing this issue, there have been many projects which did not receive version updates. Some did not see any updates for more than years together. This can lead to CVEs which ultimately affects our customers. [We updated a lot of them](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/39146#note_2972801678) lately. But without an automated solution, this is a losing battle. ### Solution GitLab has traditionally used Renovate internally to update dependencies across projects. We need to ensure that any and all dependencies/tools/languages have a corresponding Renovate automation setup. This will ensure we update our dependencies at regular intervals. Some examples include - Build tools(e.g. docker) used in CI and in local development. - Language version updates(e.g. Go, NodeJS, Python, etc.). - Package/library updates(e.g. go.mod, package.json, etc.). - Language ecosystem tools(e.g. mockery, linters, etc.). - Anything which has a version number in your repository. Example - https://gitlab.com/gitlab-org/frontend/renovate-gitlab-bot/-/merge_requests/1330+ There is a chance that we might still end up introducing some breaking changes because of some implicit dependencies that we are not aware of. But that should not be a reason to not do this automation. As we identify implicit dependencies, we should reflect the same in the Renovate config. Side note - GitLab has a separate category called [Dependency Management](https://about.gitlab.com/direction/security_risk_management/security-insights/dependency_management/) with a Viable maturity to tackle some of these problems and it mentions Renovate as its competitor. In the spirit of dogfooding, we can explore it.