ci: config renovate config file

[MarlonPassos-git]

Tip

The owner of this PR can publish a preview release by commenting /publish in this PR. Afterwards, anyone can try it out by running pnpm add radashi@pr<PR_NUMBER>.

Summary

Create the config file to integrate the project with renovate.

• Configured to run weekly on the weekend,
• All dependencies will be grouped in a single PR.
• Use the dependency dashboard in the issue.

Related issue, if any:

https://github.com/orgs/radashi-org/discussions/170

For any code change,

• Related documentation has been updated, if needed
• Related tests have been added or updated, if needed
• Related benchmarks have been added or updated, if needed

Does this PR introduce a breaking change?

No

[aleclarson]

This is cool! Thanks for working on it, Marlon. 👍 👍

Considering that Radashi only has dev dependencies, I wonder if it's worth the effort of upgrading them every week? Do you have a theory for this?

I know we want security updates. I found a Renovate issue where someone found a configuration that only handles security vulnerabilities (see here). So that's an option, if nothing else.

But I'm still curious about the benefits of upgrading on a regular basis. The obvious answer is “more bug fixes, more performance boosts” but those aren't always worth the attention required to checkout the Renovate PR and test it to ensure there aren't regressions, so I'm on the fence about it.

[aleclarson]

This is disabled by default

[MarlonPassos-git]

It was a mistake, it was supposed to be activated

By default, renovate, delete the lockfiles and install the dependencies, this sounds to me like 'if I'm going to delete the lock file every time I update, it's the same as not having a lock file.

That said, I think it makes sense to keep the lock file.

https://docs.renovatebot.com/configuration-options/#lockfilemaintenance

[MarlonPassos-git]

Considering that Radashi only has dev dependencies, I wonder if it's worth the effort of upgrading them every week? Do you have a theory for this?

No 😅, I put weekly because that's what came to my head at the time. That said, I think monthly might be ok for someone to have a time and check the dependencies. What do you think ?

I know we want security updates. I found a Renovate issue where someone found a configuration that only handles security vulnerabilities (renovatebot/renovate#15490 (comment)). So that's an option, if nothing else.

I think it's interesting to leave this active.

But I'm still curious about the benefits of upgrading on a regular basis. The obvious answer is “more bug fixes, more performance boosts” but those aren't always worth the attention required to checkout the Renovate PR and test it to ensure there aren't regressions, so I'm on the fence about it.

Your comment made me reflect, and after some research, I found there's a discussion around how frequently dependencies should be updated. I believe neither extreme is ideal — “never updating” nor “updating constantly.” A middle ground, like monthly or semi-annual reviews, makes more sense, allowing time to check for updates. In my work, I've had negative experiences with outdated dependencies that made project evolution difficult. While this project only has development dependencies, I believe most updates generally bring significant improvements.

[aleclarson]

Thanks a lot for setting this up 👏 😄