Dependa-duty

[cdanfon]

[Timebox to 4 hours]

GOAL: Spend the timeboxed amount of time per sprint addressing Dependencies

Process for Github Dependabot Duty

Please use the process outlined in this document, Github: Dependabot Duty when you are assigned to this task.
Reach out to the team in Slack if you need access to the referenced document.

┆Issue is synchronized with this Jira Task

[mmmavis]

At least half of the existing dependabot PRs have been closed! Hooray!

I created a new label "[dependabot] has breaking changes" to mark dependabot PRs containing breaking changes. Those PRs will require more time to fix, review and merge. Just a note that some remaining open PRs can still have breaking changes even though they don't have that label as I didn't have time to check through all PRs.

I'm hoping we can continue merging more dependabot PRs in the next few sprints to keep them at the manageable number. I don't mind taking on this task for the next sprint if other devs have other priorities. :)

[mmmavis]

@cdanfon @mtdenton updates for the dependabot PRs merging progress is above. I'm unsure if this ticket is good to close so leaving the decision to you.

[mtdenton]

@mmmavis Thanks for this! We'll keep this open until we're caught up, you all can decide who will carry this forward in the next sprint.

[cdanfon]

Hey @danielfmiranda can you give us an update as of where we are with dependabot issues? The above comment from Mavis is a perfect example :)

At least half of the existing dependabot PRs have been closed! Hooray!

I created a new label "[dependabot] has breaking changes" to mark dependabot PRs containing breaking changes. Those PRs will require more time to fix, review and merge. Just a note that some remaining open PRs can still have breaking changes even though they don't have that label as I didn't have time to check through all PRs.

I'm hoping we can continue merging more dependabot PRs in the next few sprints to keep them at the manageable number. I don't mind taking on this task for the next sprint if other devs have other priorities.

[danielfmiranda]

Hi @cdanfon!

No problem, for my update:

• Since we have had a code freeze going on for the wagtail 3.0 upgrade, I have not yet merged any dependabot PR's that I have taken a look at during the last sprint. I have only approved these PR's and left comments saying "OK to merge after code freeze". I plan to start merging these once the code freeze ends on 02/22/23
• After taking a look at the zenhub board, it appears that there are 35 Dependabot PRs remaining for the foundation repo.

Thanks!

[cdanfon]

We're skipping this duty during s/c 6th March

[tbrlpld]

For next round, we should focus on security critical updates: https://github.com/MozillaFoundation/foundation.mozilla.org/security/dependabot

[danielfmiranda]

Sprint 06/26/23 - 07/07/23:

• Bump pillow from 9.0.1 to 9.3.0 #9745

[danielfmiranda]

Sprint 06/26/23 - 07/07/23:

• Created 2 new labels pip and npm to differentiate the tickets and show whether they relate to python/pip or npm/yarn. Updated all remaining dependabot tickets accordingly
• Found that Bump requests from 2.28.2 to 2.31.0 #10726 has breaking changes
• Bump pillow from 9.0.1 to 9.3.0 #9745
• Bump social-auth-app-django from 5.0.0 to 5.2.0 #10452
• Bump python-slugify from 6.1.1 to 8.0.1 #10225
• Bump wagtail-factories from 4.0.0 to 4.1.0 #10721
• Bump types-python-slugify from 6.1.0 to 8.0.0.2 #10454
• Bump wagtailmedia from 0.12.0 to 0.14.2 #10730
• Bump django from 3.2.19 to 3.2.20 #10826
• Bump django-htmx from 1.14.0 to 1.15.0 #10757
• Bump faker from 18.10.1 to 18.11.2 #10806
• Bump wagtail from 4.1.5 to 4.1.6 #10722
• Bump black from 22.12.0 to 23.3.0 #10717 (In progress)

33 PR's remain!

[jhonatan-lopes]

Sprint July 10, 2023 - July 21, 2023:

Focused on dev dependencies:

• Bump mypy from 0.971 to 1.4.1 #10794
• Bump pytest from 7.3.1 to 7.4.0 #10789
• Bump pytest-cov from 4.0.0 to 4.1.0 #10731
• Bump sentry-sdk from 1.21.0 to 1.28.0 #10849
• Bump pytest-xdist from 3.2.1 to 3.3.1 #10715
• Bump djlint from 1.19.16 to 1.31.1 #10804
• Bump django-debug-toolbar from 3.5.0 to 4.1.0 #10725
• Bump types-requests from 2.28.3 to 2.31.0.1 #10719
• Bump black from 22.12.0 to 23.7.0 #10869

[jhonatan-lopes]

Sprint July 24, 2023 - August 4, 2023:

• Tagged all open dependabot PRs with either a pip or npm label

• Bump wagtailmedia from 0.14.2 to 0.14.4 #10950
• Bump flake8 from 6.0.0 to 6.1.0 #10937
• Bump black from 22.12.0 to 23.7.0 #10869
• Bump sentry-sdk from 1.28.0 to 1.29.2 #10949
• Bump types-requests from 2.28.3 to 2.31.0.2 #10918
• Bump faker from 18.11.2 to 19.2.0 #10899
• Bump factory-boy from 3.2.1 to 3.3.0 #10916
• Bump wagtail-inventory from 1.6 to 2.2 #10951
• Bump djhtml from 1.5.2 to 3.0.6 #10348
• Bump types-python-slugify from 8.0.0.2 to 8.0.0.3 #10913

[mtdenton]

Pausing this for 8/7 sprint

[jhonatan-lopes]

Sprint August 7, 2023 - August 18, 2023:

• Bump wagtail-localize from 1.3.3 to 1.5.1 #10716
• Bump mypy from 1.4.1 to 1.5.0 #10995
• Bump django-debug-toolbar from 4.1.0 to 4.2.0 #10996
• Bump gitpython from 3.1.30 to 3.1.32 #10993
• Bump django-storages from 1.12.3 to 1.13.2 #10988
• Bump faker from 19.2.0 to 19.3.0 #10987
• Bump psycopg2-binary from 2.9.6 to 2.9.7 #10973
• Bump boto3 from 1.21.12 to 1.28.26 #11005
• Bump gunicorn from 20.1.0 to 21.2.0 #10917

[jhonatan-lopes]

Sprint August 21, 2023 - September 1st, 2023:

• Bump mypy from 1.5.0 to 1.5.1 #11022
• Bump boto3 from 1.28.26 to 1.28.34 #11032
• Bump faker from 19.3.0 to 19.3.1 #11031
• Bump django-pattern-library from 1.0.0 to 1.0.1 #11023
• Bump django-redis from 5.2.0 to 5.3.0 #10760

[jhonatan-lopes]

Sprint September 4th, 2023 - September 15th, 2023:

• Bump pygit2 from 1.11.1 to 1.12.2 #10790
• Bump pytest from 7.4.0 to 7.4.1 #11058
• Bump sentry-sdk from 1.29.2 to 1.30.0 #11059
• Bump social-auth-app-django from 5.2.0 to 5.3.0 #11057
• Bump django from 3.2.20 to 3.2.21 #11065
• Bump cryptography from 41.0.0 to 41.0.3 #11064
• Bump django-environ from 0.10.0 to 0.11.2 #11056
• Bump boto3 from 1.28.34 to 1.28.40 #11066
• Bump dj-database-url from 1.2.0 to 2.1.0 #11006
• Bump django-htmx from 1.15.0 to 1.16.0 #10878
• Bump django-cors-headers from 3.14.0 to 4.2.0 #10848
• Bump black from 23.7.0 to 23.9.1 #11086
• Bump pytest from 7.4.1 to 7.4.2 #11087
  - [ ] Bump faker from 19.3.1 to 19.6.0 #11088
• Bump wagtail-localize from 1.5.1 to 1.5.2 #11089
• Bump gitpython from 3.1.32 to 3.1.35 #11090

[jhonatan-lopes]

Sprint October 16th, 2023 -October 27th, 2023:

• Bump faker from 19.3.1 to 19.6.1 #11091
• Bump sentry-sdk from 1.30.0 to 1.32.0 #11264
• Bump mypy from 1.5.1 to 1.6.1 #11274

[jhonatan-lopes]

Sprint November 13th, 2023 - November 24th, 2023:

• Bump cryptography from 41.0.3 to 41.0.4 #11155
• Bump django-redis from 5.3.0 to 5.4.0 #11200
• Bump types-requests from 2.31.0.2 to 2.31.0.6 #11204
• Bump django-storages from 1.13.2 to 1.14.2 #11228
• Bump psycopg2-binary from 2.9.7 to 2.9.9 #11233
• Bump gitpython from 3.1.35 to 3.1.37 #11244
• Bump social-auth-app-django from 5.3.0 to 5.4.0 #11293
• Bump whitenoise from 6.5.0 to 6.6.0 #11297
• Bump django-pattern-library from 1.0.1 to 1.1.0 #11317
• Bump pytest from 7.4.2 to 7.4.3 #11340
• Bump pytest-django from 4.5.2 to 4.7.0 #11407
• Bump wagtailmedia from 0.14.4 to 0.14.5 #11366
• Bump black from 23.9.1 to 23.11.0 #11408
• Bump mypy from 1.6.1 to 1.7.0 #11410
• Bump scout-apm from 2.26.1 to 3.0.2 #11411
• Bump pytest-xdist from 3.3.1 to 3.5.0 #11468
• Bump sentry-sdk from 1.32.0 to 1.36.0 #11469
• Bump boto3 from 1.28.40 to 1.29.6 #11470
• Bump faker from 19.3.1 to 20.1.0 #11465
• Bump pygit2 from 1.12.2 to 1.13.3 #11466
• Bump wagtail-inventory from 2.2 to 2.5 #11445
• Bump wagtail-localize from 1.5.2 to 1.7 #11443
• Bump asgiref from 3.5.0 to 3.7.2 #11471
• Bump django-htmx from 1.16.0 to 1.17.2 #11442
• Bump django-cors-headers from 4.2.0 to 4.3.1 #11444
• Bump sentry-sdk from 1.36.0 to 1.37.1 #11478
• Bump mypy from 1.7.0 to 1.7.1 #11479
• Bump django from 3.2.21 to 3.2.23 #11358
• Bump wagtail from 4.1.6 to 4.1.9 #11282
• Bump certifi from 2022.12.7 to 2023.7.22 #11487
• Bump pillow from 9.5.0 to 10.0.1 #11488
• Bump willow from 1.4.1 to 1.6.3 #11489

[jhonatan-lopes]

Sprint November 27th, 2023 - December 8th, 2023:

• Bump cryptography from 41.0.4 to 41.0.6 #11492
• Bump boto3 from 1.29.6 to 1.33.6 #11499
• Bump sentry-sdk from 1.37.1 to 1.38.0 #11498

[jhonatan-lopes]

Sprint December 11th, 2023 - December 22nd, 2023:

• Bump willow from 1.4.1 to 1.6.3 #11489
• Bump pillow from 9.5.0 to 10.0.1 #11488
• Bump boto3 from 1.33.6 to 1.33.12 #11529
• Bump isort from 5.12.0 to 5.13.1 #11530

[jhonatan-lopes]

Sprint January 22nd, 2024 - February 2nd, 2024:

• Bump urllib3 from 1.26.15 to 1.26.18 #11708
• Bump isort from 5.13.1 to 5.13.2 #11566
• Bump mypy from 1.7.1 to 1.8.0 #11613
• Bump flake8 from 6.1.0 to 7.0.0 #11667
• Bump pytest from 7.4.3 to 8.0.0 #11781

[jhonatan-lopes]

Sprint February 5th, 2024 - February 16th, 2024:

• Bump types-python-slugify from 8.0.0.3 to 8.0.2.20240127 #11782
• Bump black from 23.11.0 to 24.1.1 #11783
• Bump django-debug-toolbar from 4.2.0 to 4.3.0 #11816
• Bump pytest-django from 4.7.0 to 4.8.0 #11818
• Bump pytest-sugar from 0.9.7 to 1.0.0 #11821
• Bump sentry-sdk from 1.38.0 to 1.40.1 #11832
• Bump wagtail-color-panel from 1.4.1 to 1.5.0 #11609
• Bump wagtail from 5.2.2 to 5.2.3 #11784
• Bump boto3 from 1.33.12 to 1.34.36 #11837
• Bump python-slugify from 8.0.1 to 8.0.3 #11817
• Bump scipy from 1.9.3 to 1.10.0 #11704
• Bump cryptography from 41.0.6 to 42.0.0 #11829
• Bump faker from 20.1.0 to 23.0.0 #11836
• Bump pillow from 10.0.1 to 10.2.0 #11759
• Bump gitpython from 3.1.37 to 3.1.41 #11709
• Bump pygit2 from 1.13.3 to 1.14.0 #11779

[jhonatan-lopes]

Sprint February 19th, 2024 - March 1st, 2024:

• Bump django from 4.2.9 to 4.2.10 #11841
• Bump cryptography from 42.0.0 to 42.0.2 #11877
• Bump pytest from 8.0.0 to 8.0.1 #11878
• Bump cryptography from 42.0.2 to 42.0.4 #11895
• Bump pytest from 8.0.1 to 8.0.2 #11907

[jhonatan-lopes]

Sprint March 18th, 2024 - March 30th, 2024:

• Bump django from 4.2.10 to 4.2.11 #12017
• Bump mypy from 1.8.0 to 1.9.0 #12024
• Bump pytest from 8.0.1 to 8.1.1 #12027
• Bump types-python-slugify from 8.0.2.20240127 to 8.0.2.20240310 #12028
• Bump sentry-sdk from 1.41.0 to 1.42.0 #12069
• Bump black from 24.1.1 to 24.3.0 #12070
• Bump boto3 from 1.34.36 to 1.34.64 #12068

[AdalbertoMoz]

Sprint May 27, 2024 - June 10, 2024:

• Bump requests from 2.31.0 to 2.32.3 #12415
• Bump faker from 25.0.1 to 25.6.0 #12452
• Bump pytest from 8.1.1 to 8.2.2 #12453
• Bump dj-database-url from 2.1.0 to 2.2.0 #12418
• Bump boto3 from 1.34.98 to 1.34.122 #12459
• Bump pygit2 from 1.14.0 to 1.15.0 #12356

[data-sync-user]

➤ Mavis Ou commented:

Forgot to update this ticket last sprint. Below is what got merged.

Sprint March 4, 2024 - March 15, 2024

1. Bump eslint from 8.49.0 to 8.57.0 #11902 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11902|smart-link )
2. Bump @tailwindcss/forms from 0.5.6 to 0.5.7 #11416 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11416|smart-link )
3. Bump classnames from 2.3.2 to 2.5.1 #11624 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11624|smart-link )
4. Bump classnames from 2.3.2 to 2.5.1 #11624 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11624|smart-link )
5. Bump countup.js from 2.7.0 to 2.8.0 #11036 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11036|smart-link )
6. Bump browserslist from 4.21.10 to 4.23.0 #11881 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11881|smart-link )
7. Bump autoprefixer from 10.4.15 to 10.4.18 #11969 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11969|smart-link )
8. Bump postcss-scss from 4.0.6 to 4.0.9 #11199 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11199|smart-link )
9. Bump eslint-plugin-react from 7.32.2 to 7.34.0 #12015 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/12015|smart-link )
10. Bump postcss from 8.4.33 to 8.4.35 #11859 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11859|smart-link )
11. Bump sentry-sdk from 1.40.1 to 1.41.0 #12029 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/12029|smart-link )
12. Bump cssnano from 6.0.1 to 6.1.0 #12016 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/12016|smart-link )
13. Bump tailwindcss from 3.3.3 to 3.4.1 #11662 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11662|smart-link )
14. Bump @playwright/test from 1.36.1 to 1.42.1 #11971 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11971|smart-link )
15. Bump follow-redirects from 1.15.5 to 1.15.6 #12054 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/12054|smart-link )
16. Bump the npm_and_yarn group group with 1 update #12059 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/12059|smart-link )
17. Bump browser-sync from 2.29.3 to 3.0.2 #11627 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11627|smart-link )
18. Bump postcss-cli from 10.1.0 to 11.0.0 #11523 ( https://github.com/MozillaFoundation/foundation.mozilla.org/pull/11523|smart-link )