b924014b73
* Initial plan * Add automated dependency updates and security scanning - Add Dependabot configuration for npm, GitHub Actions, and Docker - Configure daily security updates and weekly regular updates - Group related dependencies (React, testing, blockchain, etc.) - Add CodeQL security analysis workflow - Add dependency review workflow for PRs - Add auto-merge workflow for patch/minor updates - Create comprehensive dependency management documentation - Update README with dependency management section Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> * Add monthly dependency audit automation and templates - Add monthly audit issue template - Add automated workflow to create monthly audit issues - Automate dependency audit reminders on first of each month Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> * Changes before error encountered Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> * Simplify Dependabot auto-merge workflow - Replace complex wait-on-check-action with native GitHub auto-merge - Use pull_request_target trigger for better permissions handling - Simplify workflow to single job with clearer logic - Update documentation to reflect simpler workflow - Remove dependency on third-party action that may be unreliable Co-authored-by: PatrickFanella <61631520+PatrickFanella@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: onnwee <211922112+onnwee@users.noreply.github.com> Co-authored-by: PatrickFanella <61631520+PatrickFanella@users.noreply.github.com>
5.2 KiB
5.2 KiB
Dependency Update Process - Quick Reference
This is a quick reference guide for the automated dependency update process. For comprehensive documentation, see docs/DEPENDENCY_MANAGEMENT.md.
🤖 What Runs Automatically
Daily (9:00 AM PST)
- ✅ Security updates for all packages
- ✅ Auto-approved and auto-merged after CI passes
- ✅ Notifications sent for high/critical vulnerabilities
Weekly (Mondays, 9:00 AM PST)
- ✅ Regular updates (patch and minor versions)
- ✅ Grouped by category (React, testing, etc.)
- ✅ Auto-merged after CI passes
- ⚠️ Major updates require manual review
On Every PR
- ✅ Dependency review checks for vulnerabilities
- ✅ License compliance checks
- ✅ Fails PR if moderate+ severity issues found
Weekly (Mondays, 6:00 AM UTC) + Every Push/PR
- ✅ CodeQL security analysis for code vulnerabilities
- ✅ Results available in Security tab
👀 What Needs Your Attention
Immediate Action Required
-
High/Critical security alerts
- Check: Security tab → Dependabot alerts
- Action: Review and merge the auto-generated PR within 1 day
-
Failed CI on Dependabot PRs
- Check: PR checks section
- Action: Review errors, fix issues, or close PR
-
CodeQL high severity alerts
- Check: Security tab → Code scanning
- Action: Create issue and fix within 1 day
Weekly Review
-
Major version updates
- Check: PRs labeled
dependencieswithoutautomerge - Action: Review changelog, test locally, approve/reject
- Check: PRs labeled
-
Blocked Dependabot PRs
- Check: Open Dependabot PRs older than 1 week
- Action: Review, test, and merge or close with reason
Monthly Audit (First Monday)
- Dependency health check
- Run:
npm outdated,npm audit - Action: Review and plan updates for outdated packages
- Run:
- Consolidate dependencies
- Review: Look for duplicate or unnecessary packages
- Action: Remove unused dependencies
📋 Quick Commands
# Check outdated packages
npm outdated
cd web && npm outdated
# Security audit
npm audit
cd web && npm audit
# Test Dependabot PR locally
gh pr checkout <PR-NUMBER>
npm ci --legacy-peer-deps
npm test && npm run lint
# Deduplicate dependencies
npm dedupe
cd web && npm dedupe
# Manual security fix (use with caution)
npm audit fix
✅ Review Checklist for Dependabot PRs
Patch/Minor Updates (usually auto-merged):
- CI checks pass (green checkmarks)
- No unexpected file changes (only package.json, lock files)
- Auto-merge label present
Major Updates (manual review required):
- Read release notes and changelog
- Check for breaking changes
- Review diff for unexpected changes
- Test locally:
gh pr checkout <PR>→npm test - Verify builds:
npm run build - Manual testing if critical package
- Approve and merge OR close with reason
🚨 When to Reject an Update
Close the PR and create an issue if:
- ❌ Introduces breaking changes we can't accommodate
- ❌ Causes test failures that aren't easily fixable
- ❌ Significantly increases bundle size without justification
- ❌ Has known bugs reported in recent issues
- ❌ License changed to incompatible terms
- ❌ Package is deprecated or unmaintained
📊 Where to Find Information
| What | Where |
|---|---|
| Dependabot PRs | Pull Requests filtered by dependencies label |
| Security alerts | Security tab → Dependabot |
| CodeQL results | Security tab → Code scanning |
| Workflow runs | Actions tab |
| Failed checks | Click PR → Checks tab |
| Dependency graph | Insights tab → Dependency graph |
🔧 Configuration Files
- Dependabot:
.github/dependabot.yml - Auto-merge:
.github/workflows/dependabot-auto-merge.yml - CodeQL:
.github/workflows/codeql-analysis.yml - Dependency Review:
.github/workflows/dependency-review.yml
🆘 Troubleshooting
Dependabot not creating PRs?
- Check: Insights → Dependency graph → Dependabot
- Look for errors or paused updates
- Manually trigger: Click "Check for updates"
Auto-merge not working?
- Verify CI passes
- Check update type (major versions don't auto-merge)
- Review Actions tab for workflow errors
Security alert not resolved?
- Check if Dependabot PR exists
- If no PR, may need manual update
- Check if vulnerability is in transitive dependency
📚 Full Documentation
For detailed information:
- Complete guide: docs/DEPENDENCY_MANAGEMENT.md
- Security policy: SECURITY_POLICY.md
- Contributing: CONTRIBUTING.md
💬 Getting Help
- Open a GitHub Discussion
- Email: security@subculture.io
- Review existing dependency issues