Configure dependabot behavior #4217

drewbo · 2023-08-03T17:52:51Z

Consider how we want to handle dependabot behavior for security updates

Notes

We currently see a large number of dependabot PRs that are hard to manage
~~Create a dependabranch to have all dependabots to create PRs.~~ Not Possible
Identify a cadence for review and updates.

The text was updated successfully, but these errors were encountered:

drewbo · 2023-08-08T17:27:56Z

Security updates won't respect target-branch in the dependabot.yml config so we can't create a dependabranch (😞). My proposal for now:

[ci skip] incoming dependabot PRs so they don't add noise to our dev environment (plus they can't be merged directly anyway, added in Optimize dev deployment #4222)
"Quickly" rebase/merge/release any PR which addresses a critical or high vulnerability. We could also gate PRs/deploys on whether they introduce any vulnerabilities. Let's confer with others on timelines.
Otherwise do quarterly dependency reviews with yarn audit and work towards removing/updating other old dependencies

apburnes · 2023-08-21T18:10:21Z

Try to schedule time with platform this week.

drewbo · 2023-08-28T19:39:31Z

drewbo added the squad-pages label Aug 3, 2023

drewbo self-assigned this Aug 8, 2023

drewbo added a commit that referenced this issue Aug 15, 2023

chore: extend dependabot config to admin and metrics (#4217)

d4a6880

drewbo mentioned this issue Aug 15, 2023

Chore extend dependabot skips #4233

Merged

drewbo added a commit that referenced this issue Aug 16, 2023

chore: extend dependabot config to admin and metrics (#4217)

7c67a3f

cloud-gov-pages-operations mentioned this issue Aug 16, 2023

Release 0.2.0 #4215

Merged

drewbo closed this as completed Aug 28, 2023

cloud-gov-pages-operations mentioned this issue Mar 11, 2024

Release 0.7.0 #4398

Merged

drewbo mentioned this issue Mar 13, 2024

Add dependency auditing/monitoring cloud-gov/pages-build-container#458

Closed

3 tasks