Research and Setup Dependa Bot for Cumulus

krisstanton commented 1 month ago

[ ] Document the generic lib update steps for Yarn and add that to the documentation part of the repo (Kris)
[ ] Document the generic lib update steps for Ruby and add that to the documentation part of the repo (Kris)
[ ] Delegate this part of the task to Grad Students
- [ ] Find out if there is a way to setup githubs dependabot to automatically flag anything outdated.
- [ ] Perform the necessary tasks to get DependaBot to do it's automatic scans

aliziel commented 1 month ago

@krisstanton You might've already seen this, but looks like we can also hook up Snyk in GitHub to automate dep management. Not sure if its an option for us or if other constraints exist here, but might be worth weighing against Dependabot if we haven't already !

Also IIRC, at the planning meeting last week, someone mentioned that Snyk is already built into deploy workflows but they might've been thinking of the GitHub Advanced Security bot. If there are Snyk-specific gaps/concerns, it looks like there are CI options as well.

hbparache commented 1 month ago

Snyk is sufficient for Cumulus :)

NASA-IMPACT / csdap-cumulus

Research and Setup Dependa Bot for Cumulus #382