I just stumbled across Scala Steward [1]. From their website, "Scala Steward is a bot that helps you keep library dependencies and sbt plugins up-to-date."
This bot periodical checks to see if there are any newer versions of dependencies, and if detected will create a pull request to update that dependency in the project/Dependencies.scala file. I've enabled it on my fork as a test, and it just created a bunch of pull requests, so you can see what it looks like at my fork: https://github.com/stevedlawrence/daffodil/pulls The benefit here is we can rely on this bot to keep our deps updated so we don't fall behind, and can rely on our GitHub actions to test if anything breaks for a particular dependency. So much of the process becomes automated. Some parts are still manual, like checking that the license for the dependency hasn't changed, and updating the bin.NOTICE file which mentions library versions, so there's still some work. But it it at least automates part of the process. It also has a config file if needed to do things like pin certain dependencies to a version if needed, configure pull request messages, etc. My fork above just uses the default configuration. If we do want to enable this, all we need to do is create a pull request to add "apache/daffodil" to to scala steward repo's file--pretty simple change. Thoughts? [1] https://github.com/scala-steward-org/scala-steward
