Open Stellar uses Dependabot and Renovate to keep npm and GitHub Actions dependencies current without mixing unrelated upgrade risk into feature work.
- Dependabot opens weekly npm and GitHub Actions PRs on Monday UTC.
- Renovate groups common package families such as Stellar, Radix UI, and wallet connector packages.
- Patch dependency PRs may be queued for auto-merge after required checks pass.
- Minor updates remain reviewable and should include a changelog scan for breaking behavior.
- Major updates always require manual review.
Dependabot security alerts should stay enabled in the repository settings. Critical CVEs should be handled immediately instead of waiting for the weekly dependency window.
snarkjs is intentionally pinned at the current 0.7.x line and is ignored by automated dependency updaters.
Upgrading snarkjs can change proof generation or verification behavior and may require regenerating ZK artifacts under public/zk/. Treat any snarkjs upgrade as a manual migration:
- Regenerate the affected WASM, zkey, proof, public input, and verification key artifacts.
- Run the passport authorization and status tests.
- Verify browser-side proof generation against the deployed Soroban verifier.
- Document the artifact regeneration command and verifier compatibility in the PR.