Many repos have management of automatic dependence,
Why not use a bot like:
dependabot or others.
otherwise, we have to do it manually.
what do you think?
@nodejs/website
FWIW, we use renovate in the google npm modules and love it.
I’m +1 on renovate.
I've only been using greenkeeper so far, but I'm fine with everything that works.
It highly depends on the rights needed for the bot, as this is a security concern for the entire node.js github org. So this must be approved by the org admins.
(This has also been the reason so far that we still do this manually.)
There is a non-zero risk that a dependency includes breaking changes in minor and patch releases. For that reason, I personally prefer to audit every dependency update manually. Tools like updates make this process simple and fast.
FWIW, I'm hugely in favor of Greenkeeper. I've used it personally, and the maintainers are long-standing (trusted?) members of the Node.js community.
Regardless of the tool we choose, this kind of automation is _a security feature_. It helps keep dependencies updated, which reduces the surface area that is available to attackers + reduces the burden on maintainers of code to resolve security issues that are introduced via stale dependencies.
@bnb I thinks we should use it on many repos of the organization.
So we'll add it?
I've used Greenkeeper, Renovate, and Dependabot. My favorite is Dependabot, because it has lots of controls for things like automatically merging PRs that pass checks, or auto-merging a specific set of whitelisted (trusted) modules.
I think we should move with dependabot. But before that we should definitely enable automated security fixes in the repo: https://help.github.com/en/articles/configuring-automated-security-fixes
I think we should move with dependabot. But before that we should definitely enable automated security fixes in the repo: https://help.github.com/en/articles/configuring-automated-security-fixes
Automated security fixes are turned on for the repository (as of a few days ago, I think). IIUC, GitHub purchased dependabot and that's how automated security fixes are done. So I guess this can be closed?
Nope, one still needs to add the dependabot app for normal dependency
updates and configure it optionally
On Sun, Sep 29, 2019, 20:58 Rich Trott notifications@github.com wrote:
I think we should move with dependabot. But before that we should
definitely enable automated security fixes in the repo:
https://help.github.com/en/articles/configuring-automated-security-fixesAutomated security fixes are turned on for the repository (as of a few
days ago, I think). IIUC, GitHub purchased dependabot and that's how
automated security fixes are done. So I guess this can be closed?—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/nodejs/nodejs.org/issues/2113?email_source=notifications&email_token=AACVLNI5M66MBV53KVVA3DTQMDUF5A5CNFSM4GZ2QX4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD732ZTY#issuecomment-536325327,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AACVLNOIQJIOPRWB7AU7RITQMDUF5ANCNFSM4GZ2QX4A
.
I think it has to be added dependabot or similar because is also configurable etc...
Closing this since dependabot appears to be enabled now. 🎉
Most helpful comment
FWIW, I'm hugely in favor of Greenkeeper. I've used it personally, and the maintainers are long-standing (trusted?) members of the Node.js community.
Regardless of the tool we choose, this kind of automation is _a security feature_. It helps keep dependencies updated, which reduces the surface area that is available to attackers + reduces the burden on maintainers of code to resolve security issues that are introduced via stale dependencies.