Dep Warden Guide

Your 30-minute Monday ritual to keep dependencies healthy across all repos.

πŸ“¦ Dependency Dashboard GitHub Org β†— Mend / Renovate β†—
How it works

Every Monday at 08:45 ICT, Renovate has already run over the weekend and grouped all pending dependency updates into PRs. A Slack message lands in #tradeit-dev tagging the warden with a summary. The warden's job is to spend ~30 minutes reviewing what needs a human decision β€” everything else is automated.

Weekend
Renovate runs, creates grouped PRs
08:45 ICT
Slack digest posted, warden tagged
+30 min
Warden posts summary, hands off
CI
Approved PRs auto-merge if green
Step 1 β€” Start the ritual in Slack
1
Click "▢️ Start 30-min ritual" in the Slack message

The Monday Slack message looks like this. It shows the stats for all repos and lists any repos with open PRs. Click ▢️ Start 30-min ritual to begin β€” this starts the timer and confirms you're on duty.

At +25 min Slack pings you "5 minutes left". At +30 min it reminds you to post a summary. If you're unavailable, click πŸ™‹ Take ownership to hand to someone else, or β›” Skip this week.

#tradeit-dev β€” Monday 08:45
dep-warden-bot App 08:45
πŸ“¦ Dependency hygiene Β· @Kim is warden this week
10 open PRs Β· 5 auto-merged last 7d Β· 0 stuck >1w Β· 2 queued majors Β· Full dashboard β†—
β€’ tradeit β€” 6 PRs Β· 🟑 1 majors Β· dashboard
β€’ pricing-manager β€” 3 PRs Β· 🟑 1 majors Β· dashboard
β€’ tradeit-socket-server β€” 1 PRs Β· dashboard
▢️ Start 30-min ritual β›” Skip this week ⏭️ Hand off πŸ™‹ Take ownership
Step 2 β€” Review the Dependency Dashboard page
2
Open ops.tradeit.gg/deps.html β€” linked from the Slack message

The dashboard shows live data for all 12 repos. Repos are sorted by open PR count so the busiest ones are at the top. Focus on anything non-zero.

Dependency Hygiene dashboard screenshot
A
Summary cards β€” at a glance: total open PRs, auto-merged in the last 7 days, stuck PRs (>1 week old), and queued majors awaiting your approval.
B
Repo name β€” click to open the repo directly on GitHub. Sorted by open PR count.
C
Queued majors badge 🟑 β€” this repo has major version updates waiting for your approval. You must approve them in the Dependency Dashboard issue (Step 4) before a PR gets created.
D
Dashboard link β€” opens the GitHub "Dependency Dashboard" issue for that repo. This is where you approve majors. A "β€”" means Renovate hasn't scanned that repo yet.
ColumnWhat to do
Open PRsCheck they're not stuck. Patch/minor PRs auto-merge if CI is green β€” no action needed.
Auto-merged 7dInformational β€” confirms automation is working.
Stuck >1w πŸ”΄Open the PR, check why CI is failing, fix or escalate to the owning dev.
Queued majors 🟑Click Dashboard β†’ approve in the GitHub issue (Step 4).
Step 3 β€” Review open PRs for repos with activity
3
Check the grouped PRs in GitHub

For each repo with open PRs, click the repo name to go to GitHub. Filter by author:app/renovate to see only Renovate PRs.

PR typeLabelAction
Patch updatesauto-mergeNothing. CI merges them automatically if green.
Dev dep minorauto-mergeNothing. Auto-merged on CI pass.
Prod dep minor (grouped)reviewScan the changelog in the PR. If nothing looks breaking, approve and merge.
Major bumpmajor-bumpDon't merge directly β€” approve via Dashboard issue first (Step 4).
Security fixsecurityAlready auto-merged. Just verify CI passed.
Stuck PR β€” if a PR is open for more than a week, it will show as πŸ”΄ in the dashboard. Open it, read the CI failure, and either fix it yourself or assign to the dev who owns that package area.
Step 4 β€” Approve major bumps in the Dependency Dashboard issue
4
Click "Dashboard" β†’ tick checkboxes to approve majors

Click the Dashboard link in the deps page for any repo showing 🟑 queued majors. It opens a GitHub issue titled "Dependency Dashboard #XXXX" that looks like this:

GitHub Dependency Dashboard issue screenshot
A
Repository Problems / Deprecations β€” informational warnings. The renovate.json β†’ default.json warning will clear after Renovate's next run following our config rename. Ignore for now. The deprecated packages (aws-sdk, coinbase-commerce-node) have no auto-replacement β€” log in Linear for manual migration.
B
Pending Approval section β€” this is the action area. Each unchecked box is a major version update waiting for your go-ahead. Tick a checkbox β†’ Renovate opens the PR within 1–2 minutes.
C
Awaiting Schedule β€” updates that are queued but waiting for the right day/time per the schedule config. No action needed β€” they'll run automatically.
E
Detected Dependencies β€” full inventory of what Renovate is tracking. Useful for auditing but not actionable during the ritual.
Triage rubric β€” what to approve:
Package typeDecision
GitHub Actions / CircleCI orbsβœ… Approve β€” infrastructure tooling, low risk.
Dev tooling (eslint, typescript, jest, prettier)βœ… Approve if changelog shows no config format change.
Runtime prod deps (express, aws-sdk, prisma…)⚠️ Create a Linear ticket in "Dependency Hygiene" project for team review. Don't approve here.
Any package with security labelβœ… Fast-track approve regardless of major/minor.
Node.js runtime version bump⚠️ Coordinate with team β€” needs infra + app changes together.
What happens after you tick a checkbox? Renovate creates the PR automatically within 1–5 minutes. The PR gets the major-bump label. CI runs. If CI passes, the PR sits open for a human to merge β€” majors are never auto-merged. If CI fails, add a comment and assign to the relevant dev.
Step 5 β€” Post summary & hand off
5
Reply in the Slack thread, then click ⏭️ Hand off

Reply to the Monday Slack message thread with a brief summary:

K
Kim 09:12
βœ… tradeit-backend, tradeit-socket-server β€” all patches green, auto-merged.
🟑 Approved actions/checkout v6 + setup-node v4 majors for tradeit-backend.
⚠️ tradeit β€” 1 stuck PR (#1230, ESLint failing) β€” tagged Neo to investigate.
πŸ“¦ pricing-manager major (express v6) β€” created DEV-5021 for team review.

Then click ⏭️ Hand off in the original message to rotate to the next warden. The bot will confirm the next warden in the thread.

Edge cases & FAQ
SituationWhat to do
Can't make it Monday Click πŸ™‹ Take ownership in Slack before 08:45 to transfer duty, or β›” Skip β€” next Monday's warden picks up the backlog.
Dashboard link shows "β€”" Renovate hasn't scanned that repo yet. Trigger a run from the Mend admin panel β†—.
"renovate.json deprecated" warning in issue Will clear automatically after Renovate's next run. Safe to ignore.
aws-sdk / coinbase-commerce-node "unavailable" replacement No auto-fix exists. Log a Linear ticket for manual migration. These won't produce PRs.
Major PR fails CI after you approve it Add a comment on the PR with the failure reason and assign to the relevant dev. Don't close the PR.
@zengamingx/* package lookup failure Internal packages are excluded from Renovate. Safe to ignore β€” these are managed manually.