Reconfigure renovate or add dependabot to make sure we get dependency PRs for known security vulnerabilities #1621
Comments
SmashingQuasar
added
priority: p3
|
Hey! So we actually use Mend renovate and have for a very long time! Agreed that automated dependency upgrades are the way to go. Here's an example PR from renovate. I was chatting with @sofisl though because I did see that in this particular case for grpc-js she updated the dependency manually as part of another cleanup and I wondered why an automated one didn't come in. I think that in this case, gax would have been pulling in the most recent version of grpc-js anyways during installation and it was within the range that we have configured under the hood for renovate. We do agree though, that we need to tweak things a bit to make sure that security vulnerability PRs get opened no matter what; that's a good shout. I'm going to modify the title of this to reflect that |
leahecole
changed the title
Hey! Thanks for the detailed explanation, I appreciate it. :) |
Thanks for stopping by to let us know something could be better!
Is your feature request related to a problem? Please describe.
When this package has a vulnerable dependency, contributors need to manually open a PR and an issue to upgrade said dependencies.
Describe the solution you'd like
Setting up an automated system such as DependaBot would signifiicantly increase the QoL for contributors and users. It would also save time and increase security.
Describe alternatives you've considered
Additional context
You can find a quickstart guide for DependaBot on Github Docs.
The text was updated successfully, but these errors were encountered: