As already pointed out in https://github.com/kubeapps/kubeapps/issues/2228 and https://github.com/kubeapps/kubeapps/pull/2224, we should perform a periodic analysis of Kubeapps' dependencies in order to be aware of any vulnerability or deprecation.
Currently, the process of how to update deps is unclear (besides some attempts to update it, e.g., https://github.com/kubeapps/kubeapps/pull/2231).
I personally think the process is twofold:
This issue is just for us to add our comments and to reach an agreement on what to do regarding dependencies.
As suggested in offline discussions, here is a very initial evaluation of both Snyk and Trivy tools:
https://via.vmw.com/2021-kubeapps-deps-tool
If you prefer to move there the discussion on how we plan to update deps (in general, not regarding security updates) , I'm also ok with that.
Regarding the idea of how to keep our deps up to date, I'd start by setting up Dependabot properly. Now it is only alerting about (some) security updates, but it is much more powerful. It is integrated within Github and it will just send PRs. WDYT?
https://docs.github.com/en/github/administering-a-repository/enabling-and-disabling-version-updates
Sounds good. Regarding the security report, I am okay using snyk.
Snyk added! Let's see how it behaves.
Also, I've noticed that it also check for general upgrades [1], so let's hold the Dependabot config for a while then.
[1] https://support.snyk.io/hc/en-us/articles/360006581898-Upgrading-dependencies-with-automatic-PRs
Mmm, it seems Snyk isn't generating these PRs. I've set Dependabot up in my fork and see how it looks like:

The config is straightforward: https://github.com/antgamdia/kubeapps/blob/master/.github/dependabot.yml
WDYT?
I'm worried about how much extra work this is going to cause but I am fine giving it a try.
Fine with me - it's doing work for us that we'd otherwise have to do. If it's as simple as clicking Merge when tests have passed, I'm all for it :)