Skip to content

feat: enable Dependabot for automated dependency updates #961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
keith-oak wants to merge 1 commit into from
Closed

feat: enable Dependabot for automated dependency updates #961

keith-oak wants to merge 1 commit into from

Conversation

@keith-oak
Copy link

@keith-oak keith-oak commented Jun 24, 2025
edited
Loading

Summary

Details

This PR adds Dependabot configuration to help maintain up-to-date dependencies and automatically address security vulnerabilities. Currently, the project has:

  • 21 security vulnerabilities (1 critical, 4 high, 11 moderate, 5 low)
  • 45+ outdated packages with available updates
  • No automated dependency management

Changes Made

1. Added .github/dependabot.yml

  • Configured weekly update schedule (Mondays at 5 AM)
  • Groups minor and patch updates to reduce PR noise
  • Separate configurations for:
    • Main npm dependencies
    • Documentation site dependencies
    • GitHub Actions
  • Appropriate labels and commit message prefixes
  • Review assignment to maintainers team

2. Added DEPENDENCY_UPDATES.md

  • Complete audit of current security vulnerabilities
  • List of major version updates available
  • Recommendations for addressing issues
  • Notes on breaking changes for major updates

Benefits

  1. Automated Security Updates: Dependabot will automatically create PRs for security vulnerabilities
  2. Reduced Manual Work: No need to manually check for updates
  3. Better Security Posture: Timely updates reduce exposure to known vulnerabilities
  4. Grouped Updates: Minor and patch updates are grouped to minimize PR noise

Related Issues

Next Steps

Once this is merged, Dependabot will:

  1. Start creating PRs for security updates immediately
  2. Create grouped PRs for minor/patch updates weekly
  3. Help identify which major version updates are safe to apply

The DEPENDENCY_UPDATES.md file provides a roadmap for addressing the more complex major version updates that require manual testing.

@keith-oak
feat: enable Dependabot for automated dependency updates
ddf4b42 
- Add Dependabot configuration for npm and GitHub Actions
- Configure weekly update schedule with grouped minor/patch updates
- Set appropriate labels and commit message prefixes
- Add documentation of current dependency status and security vulnerabilities

This will help maintain up-to-date dependencies and address security vulnerabilities automatically. Currently there are 21 vulnerabilities (1 critical, 4 high, 11 moderate, 5 low) that need attention.
This was referenced Jun 24, 2025
Closed
Open
@keith-oak keith-oak closed this by deleting the head repository Aug 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cjk7989 cjk7989 Awaiting requested review from cjk7989 cjk7989 is a code owner

@jessieyyt jessieyyt Awaiting requested review from jessieyyt jessieyyt is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@keith-oak