Dependabot?

[jamesxu123]

@krubenok mentioned enabling Dependabot in #700. Does anyone have any strong opinions on the matter?

Our dependencies are quite out of date and npm audit does say that there are quite a number of vulnerabilities right now. Although dependabot can end up ignored sometimes, we might need this to ensure we don't fall behind on updating when necessary in the future.

[krubenok]

For a little ~~~~ history lesson ~~~~ we used to use the old (pre-Github Acquisition) version of Dependabot several years ago. It works pretty well and most version bumps went through without issue, some did cause issues and our CI/CD wasn't the greatest (and still isn't but is getting better) and made catching things hard.

My recommendation would be to enable Dependabot and write a Github Actions script to automatically merge things that pass CI/CD into the dev branch. This will greatly reduce the merging chores but it will force devs to regularly pull changes and npm install to stay up to date.

[jamesxu123]

Is something like this what you are talking about?

[krubenok]

Without having validated other options, yeah something like that.