About two yrs ago, we started generating a koku-ui-manifest file; in addition to a yarn.lock file, whenever we manually update packages. At the time, this was required for vulnerability and compliance tracking.

More recently, running a script to create the manifest has become a problem. Wewould like to use Github's dependabot feature to automatically update dependencies. Athough we could use a Github action to create the manifest, that approach does not work well with containerized builds.

That said, looking at other apps under the Consoledot (Insights) platform, but have only seen a manifest in the Sources UI, which is 2+ yrs old. For example, I don't see a manifest for UIs like Settings, Subscriptions, Inventory, Patchman, Catalog, etc.

I reached out to product security and we can stop generating this manifest file. This should make it much easier to add features like "dependabot" to automatically update dependencies.

The answer is, {}yes, you can stop generating this manifest by yourself*{*}. We are generating the manifests we need with our own tooling (mangen). It is executed daily by analyzing git repositories and container images in Quay.io. If you change any dependency with dependabot, the next day the manifest (the one that we are generating) will be updated. – Florencio Cano Gabarda