From f5d86aad18ff25ad4ac8d2a118dcdc465116c643 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Sat, 6 Mar 2021 21:42:45 +0000 Subject: [PATCH 1/4] chore: use dependabot to manage dependencies #259 Use dependabot to manage the dependencies defined in package.json and GitHub Actions workflows, so that we can proactively update versions. Outdated versions of third-party dependencies frequently have known security vulnerabilities with CVEs. --- .github/dependabot.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000000..55d727b49aca --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "11:00" + open-pull-requests-limit: 10 + assignees: + - "dependabot" + +- package-ecosystem: npm + directory: "/" + schedule: + interval: daily + time: "11:00" + open-pull-requests-limit: 10 + assignees: + - "dependabot" From 93642355f6461d88502a2fe36bd33397fb0ff813 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Wed, 10 Mar 2021 19:28:12 +0000 Subject: [PATCH 2/4] code review updates --- .github/dependabot.yml | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 55d727b49aca..75ec8ecc13e1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,15 +5,26 @@ updates: schedule: interval: "daily" time: "11:00" - open-pull-requests-limit: 10 assignees: - - "dependabot" + - "jawnsy" + reviewers: + - "jawnsy" + ignore: + # GitHub always delivers the latest versions for each major + # release tag, so ignore minor version tags + - dependency-name: "actions/cache" + versions: + - 2.x + - dependency-name: "actions/checkout" + versions: + - 2.x -- package-ecosystem: npm +- package-ecosystem: "npm" directory: "/" schedule: - interval: daily + interval: "daily" time: "11:00" - open-pull-requests-limit: 10 assignees: - - "dependabot" + - "jawnsy" + reviewers: + - "jawnsy" From da7f506cf1148ad49b460cd56d8cb2ee46554f09 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 12 Mar 2021 17:58:30 +0000 Subject: [PATCH 3/4] ignore all official GitHub actions versions --- .github/dependabot.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 75ec8ecc13e1..27de5f41d3cf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -11,13 +11,8 @@ updates: - "jawnsy" ignore: # GitHub always delivers the latest versions for each major - # release tag, so ignore minor version tags - - dependency-name: "actions/cache" - versions: - - 2.x - - dependency-name: "actions/checkout" - versions: - - 2.x + # release tag, so handle updates manually + - dependency-name: "actions/*" - package-ecosystem: "npm" directory: "/" From e0280a05eb264861ff28647a41886918ba0f2c46 Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 12 Mar 2021 18:09:02 +0000 Subject: [PATCH 4/4] make prettier happy --- .github/dependabot.yml | 44 +++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 27de5f41d3cf..bd36fd2565b6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,25 +1,25 @@ version: 2 updates: -- package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" - time: "11:00" - assignees: - - "jawnsy" - reviewers: - - "jawnsy" - ignore: - # GitHub always delivers the latest versions for each major - # release tag, so handle updates manually - - dependency-name: "actions/*" + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "11:00" + assignees: + - "jawnsy" + reviewers: + - "jawnsy" + ignore: + # GitHub always delivers the latest versions for each major + # release tag, so handle updates manually + - dependency-name: "actions/*" -- package-ecosystem: "npm" - directory: "/" - schedule: - interval: "daily" - time: "11:00" - assignees: - - "jawnsy" - reviewers: - - "jawnsy" + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + time: "11:00" + assignees: + - "jawnsy" + reviewers: + - "jawnsy"