Context
This project serves as a community-maintained fork of MinIO, and one of its key goals is to stay up to date with upstream changes — notably to address CVE vulnerabilities in a timely manner.
Currently, there is no automated dependency update mechanism in place (neither Renovate nor Dependabot is configured). Given the security-sensitive nature of an object storage service, having automated dependency update PRs would be a natural fit for this project.
Proposal
Set up Renovate to automatically create pull requests when dependencies (Go modules, Docker base images, GitHub Actions, etc.) have new versions available. This would help:
- Catch CVE fixes early — security patches in transitive dependencies would surface as PRs without manual monitoring
- Reduce maintenance burden — maintainers review and merge rather than manually tracking updates
- Keep the project healthy — consistent, small dependency bumps are easier to review than large, infrequent upgrades
A minimal renovate.json at the root of the repo would be sufficient to get started.
Availability to help
We — @davinkevin and @mfredenhagen — use this project professionally and would be happy to help maintain the repository and contribute fixes as needed. If Renovate is enabled, we can also assist with reviewing and merging dependency update PRs.
Context
This project serves as a community-maintained fork of MinIO, and one of its key goals is to stay up to date with upstream changes — notably to address CVE vulnerabilities in a timely manner.
Currently, there is no automated dependency update mechanism in place (neither Renovate nor Dependabot is configured). Given the security-sensitive nature of an object storage service, having automated dependency update PRs would be a natural fit for this project.
Proposal
Set up Renovate to automatically create pull requests when dependencies (Go modules, Docker base images, GitHub Actions, etc.) have new versions available. This would help:
A minimal
renovate.jsonat the root of the repo would be sufficient to get started.Availability to help
We — @davinkevin and @mfredenhagen — use this project professionally and would be happy to help maintain the repository and contribute fixes as needed. If Renovate is enabled, we can also assist with reviewing and merging dependency update PRs.