Open tomaspalma opened 2 months ago
I have just enabled the first, which already done that with dependabot. Should we enable the second one to open a PR?
Feel free to config these settings in your self
Thank you!
I think that the dependabot part might be more suitable for the #225 issue.
This one was more to have the npm run audit
command ran when a PR tried to merge into the develop
. Although the dependabot will alert for vulnerabilities for dependencies already in our project, it won't alert for new dependencies that will be merged by a PR.
Should we enable the second one to open a PR?
I believe it is a good idea even though it may add noise to the PR tab, security is important
Before merging a pull request, we should have an action that checks if vulnerabilities were found in any of the packages