Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot: Automated dependency updates and security alerts #52

Closed
svengreb opened this issue Nov 8, 2020 · 0 comments · Fixed by #53
Closed

Dependabot: Automated dependency updates and security alerts #52

svengreb opened this issue Nov 8, 2020 · 0 comments · Fixed by #53
Labels
context-techstack scope-quality scope-security target-base type-feature
Milestone
0.6.0

Comments

@svengreb
Copy link
Owner

svengreb commented Nov 8, 2020

In June 2020 Dependabot was natively integrated into GitHub. This allows to use automated dependency updates and security vulnerability alerts.

Create the dependabot.yml file and configure updates for GitHub Actions and Yarn/NPM. The documentation will also mention the need to manually enable or disable Dependabot per repository.
@svengreb svengreb added this to the Next milestone Nov 8, 2020
@svengreb svengreb self-assigned this Nov 8, 2020
svengreb added a commit that referenced this issue Nov 8, 2020
@svengreb
Add "Dependabot" for automated dependency updates and security alerts
bc5d9f1 
In June 2020 Dependabot [1] was [natively integrated into GitHub][2].
This allows to use automated dependency updates [3] and security
vulnerability alerts [4].

Created the `dependabot.yml` file [5] and configured updates for GitHub
Actions and Yarn/NPM. The documentation also mentions the need to
manually enable or disable Dependabot per repository [6].

[1]: https://dependabot.com
[2]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot
[3]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
[4]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
[5]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilitiesconfiguring-dependabot-security-updates
[6]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates

GH-52
@svengreb svengreb mentioned this issue Nov 8, 2020
Merged
svengreb added a commit that referenced this issue Nov 8, 2020
@svengreb
Dependabot: Automated dependency updates and security alerts (#53)
4816e4e 
In June 2020 Dependabot [1] was [natively integrated into GitHub][2].
This allows to use automated dependency updates [3] and security
vulnerability alerts [4].

Created the `dependabot.yml` file [5] and configured updates for GitHub
Actions and Yarn/NPM. The documentation also mentions the need to
manually enable or disable Dependabot per repository [6].

[1]: https://dependabot.com
[2]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot
[3]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates
[4]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
[5]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilitiesconfiguring-dependabot-security-updates
[6]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/enabling-and-disabling-version-updates

Closes GH-52
@svengreb svengreb removed their assignment Nov 8, 2020
@svengreb svengreb mentioned this issue Nov 8, 2020
Closed
svengreb added a commit to svengreb/tmpl-go that referenced this issue Nov 8, 2020
@svengreb
Update to "tmpl" template repository version 0.6.0
07a1942 
Updated to "tmpl" version 0.6.0 [1] which introduced a configuration for
automated dependency updates and security alerts [2] with
Dependabot [3].
Next to the included update configurations for the CI/CD GitHub action
workflow [4] and Yarn/NPM dependencies [5], the file has been extended
to support Go modules [6].

[1]: https://github.com/svengreb/tmpl/releases/tag/v0.5.0
[2]: svengreb/tmpl#52
[3]: https://dependabot.com
[4]: https://github.com/svengreb/tmpl#cicd-action-workflow
[5]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[6]: https://golang.org/ref/mod

GH-24
svengreb added a commit to svengreb/tmpl-go that referenced this issue Nov 8, 2020
@svengreb
Update to "tmpl" template repository version 0.6.0 (#25)
793efc2 
Updated to "tmpl" version 0.6.0 [1] which introduced a configuration for
automated dependency updates and security alerts [2] with
Dependabot [3].
Next to the included update configurations for the CI/CD GitHub action
workflow [4] and Yarn/NPM dependencies [5], the file has been extended
to support Go modules [6].

[1]: https://github.com/svengreb/tmpl/releases/tag/v0.5.0
[2]: svengreb/tmpl#52
[3]: https://dependabot.com
[4]: https://github.com/svengreb/tmpl#cicd-action-workflow
[5]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[6]: https://golang.org/ref/mod

Closes GH-24
@svengreb svengreb mentioned this issue Nov 10, 2020
Closed
svengreb added a commit to svengreb/nib that referenced this issue Nov 11, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0
a32fd58 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

GH-25
svengreb added a commit to svengreb/nib that referenced this issue Nov 11, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0 (#26)
eaef697 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

Closes GH-25
svengreb added a commit to svengreb/nib that referenced this issue Nov 11, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0 (#26)
15285fb 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

Closes GH-25
@svengreb svengreb mentioned this issue Nov 12, 2020
Closed
svengreb added a commit to svengreb/wand that referenced this issue Nov 12, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0
b37945f 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

GH-4
svengreb added a commit to svengreb/wand that referenced this issue Nov 12, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0 (#5)
f778fd9 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

Closes GH-4
svengreb added a commit to svengreb/wand that referenced this issue Nov 12, 2020
@svengreb
Update to "tmpl-go" template repository version 0.5.0 (#5)
4176fc7 
Updated to `tmpl-go` version 0.5.0 [1] (including version 0.4.0 [2])
that...

1. ...introduces the initial project documentation [3].
2. ...updates golangci-lint to the currently latest version 1.32.0 [4]
   which introduces new linters like errorlint [5], tparallel [6] and
   wrapcheck [7].
3. ...updates to "tmpl" version 0.7.0 (GH-25 [8] GH-34 [9]).
   This includes...
   - ...a new configuration file for automated dependency updates and
     security alerts [10] with Dependabot [11]. Next to update
     configurations for the CI/CD GitHub action workflow [12] and
     Yarn/NPM dependencies [13], the file has been extended to support
     Go modules [14].
   - ...updates to the latest Node.js package dependency & GitHub Action
     versions.
   - ...a change of the NPM package name to use a namespace [15] which
     helps to prevent collisions with already existing NPM packages like
     tmpl [16].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.5.0
[2]: https://github.com/svengreb/tmpl-go/releases/tag/v0.4.0
[3]: svengreb/tmpl-go#32
[4]: svengreb/tmpl-go#21
[5]: https://github.com/polyfloyd/go-errorlint
[6]: https://github.com/moricho/tparallel
[7]: https://github.com/tomarrell/wrapcheck
[8]: svengreb/tmpl-go#25
[9]: svengreb/tmpl-go#34
[10]: svengreb/tmpl#52
[11]: https://dependabot.com
[12]: https://github.com/svengreb/tmpl#cicd-action-workflow
[13]: https://github.com/svengreb/tmpl#nodejs-yarn-and-npm
[14]: https://golang.org/ref/mod
[15]: svengreb/tmpl#48
[16]: https://www.npmjs.com/package/tmpl

Closes GH-4
@svengreb svengreb mentioned this issue May 5, 2022
Closed
svengreb added a commit that referenced this issue May 5, 2022
@svengreb
Opt-in Dependabot version update configuration
6e52790 
The `.github/dependabot.yml` Dependabot configuration file [2] for
automation version updates [1] that was introduced in GH-52 [3] often
causes a lot of PR noise and does not really help since updates also
often require more action than just a bump of the version number itself
like migration steps or adjustments to changes (e.g. APIs or deprecated
implementations). Since Dependabot is not able to fulfill this and only
does a stupid increase of the version number it often creates more work
than it helps. The result are often hundreds of notifications and more
digital noise for developers and maintainers without any real benefit
since version & security updates are done on a regular schedule by
maintainers who know what they are doing and how modern software should
be maintained.
Therefore the `.github/dependabot.yml` file has been renamed to
`.github/dependabot.tmpl.yml` to disable Dependabot for this repository
while still allowing repositories that are based on this template
repository to opt-in.

[1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
[2]: https://github.com/svengreb/tmpl/blob/32925a1f/.github/dependabot.yml
[3]: #52

GH-94
svengreb added a commit that referenced this issue May 5, 2022
@svengreb
Opt-in Dependabot version update configuration (#95)
d34de53 
The `.github/dependabot.yml` Dependabot configuration file [2] for
automation version updates [1] that was introduced in GH-52 [3] often
causes a lot of PR noise and does not really help since updates also
often require more action than just a bump of the version number itself
like migration steps or adjustments to changes (e.g. APIs or deprecated
implementations). Since Dependabot is not able to fulfill this and only
does a stupid increase of the version number it often creates more work
than it helps. The result are often hundreds of notifications and more
digital noise for developers and maintainers without any real benefit
since version & security updates are done on a regular schedule by
maintainers who know what they are doing and how modern software should
be maintained.
Therefore the `.github/dependabot.yml` file has been renamed to
`.github/dependabot.tmpl.yml` to disable Dependabot for this repository
while still allowing repositories that are based on this template
repository to opt-in.

[1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates
[2]: https://github.com/svengreb/tmpl/blob/32925a1f/.github/dependabot.yml
[3]: #52

GH-94
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
context-techstack scope-quality scope-security target-base type-feature
Projects
None yet
Milestone
0.6.0
Development

Successfully merging a pull request may close this issue.

Dependabot: Automated dependency updates and security alerts svengreb/tmpl
1 participant
@svengreb