# Pattern: Dependency Update Bot Status: seed Readiness target: RL2 private beta Primary owners: product repos Genesis family: Supply chain ## Problem Dependency updates become stale, risky, and manual when there is no repeatable intake and test path. ## Context Use this pattern for application dependencies, container base images, GitHub Actions, Helm charts, Terraform providers, and platform tools. ## Forces - Automated updates reduce known-vulnerability exposure. - Update noise can overwhelm reviewers. - Security updates need prioritization. - Tests must catch compatibility breakage. ## Solution Use automated dependency update pull requests with grouping rules, security prioritization, test gates, review ownership, and release notes. ## Verification - Dependency inventory is covered by update automation. - Security updates are surfaced with priority. - Update PRs run relevant tests. - Deferred updates have owner and reason. ## Related Patterns - Protected Main Branch. - SBOM-per-Release. - Quarantined Build Runner. - Supply-Chain Provenance.