Dependency management

Forgejo relies on hundreds of Free Software components and they all need to be updated on a regular basis, with appropriate tooling and methods.


Software referenced by a release (even if such a release is the hash of a commit). They are listed in the dependency dashboard which is updated by renovate from the renovate.json configuration file.

Pull requests are opened when an upgrade is available and the decision to merge (positive review) or not (request for change review) depends on what the upgrade offers.

  • The PR contains information about the release. If it does not, it has detailed references that can be used to browse the commits in the dependency source repository and figure out what the changes are.
  • The comment of the review:
    • explains the decision (needed, not needed)
    • explains why the change has an impact on Forgejo
  • If the upgrade is needed, user visible changes must be included in the draft release notes for the upcoming release. See this upgrade for an example.
  • Security fix and important bug fixes are backported to the stable releases.
  • Set the dependency label.

Soft forks





Injects itself via a workflow in its dependencies.


Cherry-picked in the Forgejo codebase on a regular basis using a dedicated CLI tool.