hannes-ucsc
commented
1 month ago Closed hannes-ucsc closed 1 month ago
hannes-ucsc
commented
1 month ago hannes-ucsc
commented
1 month ago I fixed this for now by disabling and re-enabling Dependabot but we need to ensure that we regularly perform one of the actions mentioned in the GitHub documentation to prevent this from happening in the future, especially considering that I only discovered this by chance.
I think that the solution is to require by policy that operators explicitly close Dependabot PRs before merging the upgrade PR. The PR should be closed with a comment referring to the commit on the upgrade PR that addresses the vulnerability the Dependabot PR attempts to address. And the best place to establish that policy would be the checklist in the upgrade issue.