-
Notifications
You must be signed in to change notification settings - Fork 27
Night Watch Dependencies
Assigned to: Cindy's Navi (cixzhang)
Goal: Keep Astryx dependencies free of known vulnerabilities by auto-resolving Dependabot alerts weekly.
Weekly — Sundays at 6am PST. Unlike other Night Watch roles that run hourly/nightly, Dependencies runs once a week. Most Dependabot alerts accumulate over days, not hours, so weekly cadence keeps things clean without being noisy.
- Check open Dependabot alerts on
facebook/astryx - Classify alerts into three tiers based on risk
- Auto-fix Tier 1 and Tier 2 alerts via pnpm overrides or version bumps
- File GitHub issues for Tier 3 alerts (major version bumps requiring human review)
- Create a verified PR for all auto-fixes (build + test must pass)
- Merge PRs — humans merge
- Apply major version bumps without human review
- Fix vulnerabilities in published runtime code (that requires a release)
- Override resolutions that are already in
package.json - Feature implementation or refactoring
Criteria: Transitive dependency, patch/minor bump within the same major version.
Action: Add a pnpm override to package.json, verify with pnpm install && pnpm build && pnpm test --run.
Examples: postcss 8.5.x → 8.5.10, brace-expansion 1.1.12 → 1.1.13
Criteria: The vulnerable package powers a specific development tooling flow (vite, vitest, esbuild, storybook).
Action: Apply the fix (resolution or direct version bump), then run the standard verification plus the specific flow the package powers:
| Package | Extra Verification |
|---|---|
| vite | pnpm --filter @xds/vibe-tests interactive --sample 1 |
| vitest | Test suite itself is the verification |
| esbuild | Build is the verification |
| storybook | pnpm storybook:build |
Criteria: The patched version is a different major version than what's currently installed.
Action: Do NOT auto-fix. Create a GitHub issue with the CVE details, current version, required version, and any known breaking changes.
These hard-won rules prevent build breakage from resolution side-effects:
-
minimatch: Do NOT use
**/minimatch(broad override). It breaksglob's ESM import of theGLOBSTARnamed export. Use targeted overrides:eslint/**/minimatch: ^3.1.4,test-exclude/**/minimatch: ^9.0.7. -
picomatch: Use
**/picomatch: ^4.0.4for the broad case, plus scoped overrides for 2.x consumers:micromatch/**/picomatch: ^2.3.2,jscodeshift/**/picomatch: ^2.3.2,anymatch/**/picomatch: ^2.3.2. -
General: Always run
pnpm why <package>before writing a resolution to understand which consumers need which major line. - If a resolution breaks build/test, revert it and continue with the others. One bad resolution shouldn't block the rest.
1. gh api repos/.../dependabot/alerts → get open alerts
2. Classify each by tier
3. Set up worktree from latest main
4. For Tier 1+2: add resolutions / version bumps
5. pnpm install && pnpm build && pnpm test --run
6. If green → commit, push, create PR
7. If any resolution fails → revert it, try the rest
8. For Tier 3 → file GitHub issue
9. Clean up worktree
- Worktree:
~/xds/worktrees/night-watch-YYYYMMDD - Branch:
navi/chore/dependency-night-watch-YYYYMMDD - Commits:
--no-verify(husky pre-commit hooks hang in worktrees) - Push: use
git -C ~/xds/.bare push origin <branch>(worktree path hangs due to fsmonitor) - PR creation: use
gh apifrom a node with GitHub auth, not the MacBook CLI
No persistent state file needed. The job is idempotent — if an alert has already been resolved (by a previous run or a merged PR), it won't appear in the open alerts list.
| Date | Result |
|---|---|
| 2026-04-25 | Initial setup. PR #1796: resolved ~20/25 alerts (postcss, picomatch, minimatch, brace-expansion + deleted stale package-lock.json). |