Splitting this from the vote thread. Pulkit had suggested the possibility to try updating dependencies as part of a regularly run job. That is very similar to the process proposed by Netflix's dependency lock plugin <https://github.com/nebula-plugins/gradle-dependency-lock-plugin/wiki/General-Use-Pattern> .
I see lots of value in a dependency management tool that captures and uses more information than we currently have. I'd like to see the following information captured: 1. What is a known good set of dependencies? 2. Which dependencies cannot be updated safely? We currently have 1. in the versions properties but not 2. Having both pieces of information would allow for a process that updates all dependencies that are not known to need manual changes in order to update, runs tests and if successful locks down dependencies so that I can easily answer 1. with latest versions. This would cut down on manual effort and get us newer versions and their security patches for practically free for many libraries. There are of course lots of details that would need to be figured out. Thoughts?
