New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use dependabot to help fixing vulnerable dependencies and improve security #875
Conversation
@vraravam what do you think about this? I don't see any disadvantage of using dependabot (I'm actually running Renovate in other cases and it works just fine) |
If we can somehow limit it to minor / tiny version bumps, then mostly I am ok. This is because, in some cases, a version getting bumped (and which would trigger the automated tests) would not guarantee that the app continues to run. For eg, the OTOH, I am ok to use this as a mechanism to remind the contributors that these packages have newer versions and maybe they can run those newer versions from the PRs that dependabot raises - run the app locally before approving. This can be a safe / acceptable process and use of this tool. In other words, even if we use this, we should not set it up for auto-merge. And there needs to be an agreement that all changes are built and run locally before approving the PRs. Currently, I run |
@all-contributors please add @victorbnl for security |
I've put up a pull request to add @victorbnl! 🎉 |
Was that intended? I don't actually remember having contributed to Ferdium's security |
yes - this PR enhances our security :) |
Well it does but I didn't make this PR 😂 |
@all-contributors please add @abacao for security |
I've put up a pull request to add @abacao! 🎉 |
Hello developers
The use of dependabot is free for public projects/repositories.
It will help you to maintain many of your dependencies up to date resulting on a more secure application.
You need to enable some options on the repo configuration after adding this file.
(Settings -> Code security -> enable top 5 options)
At this moment, dependabot is able to create 5 PullRequests were he is suggestion you to bump some versions such as:
Also, Dependabot is alerting about 4 different vulnerabilities regarding jsonwebtoken.
The version in use is vulnerable for some different things where the highest CVSS (Common Vulnerability Scoring System) score is 7.5 and the lowest is still to be determined.