Closed michaelachrisco closed 1 year ago
Simply navigate to the "Security" tab in a repository and enable desired features.
You can also create a .github/dependabot.yml
configuration file and give it these contents:
# Set update schedule for GitHub Actions
# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
Is your feature request related to a problem? Please describe.
We want to be able to check for vulnerabilities within dependencies without breaking ongoing pull requests.
npm audit
was our first thought but has a number of downsides:npm audit --fix
which will update all dependencies that have a vulnerabilities but will also cause breakages within frameworks like react and angular.Describe the solution you'd like.
dependabot
seems to be a good solution that is recommended by Github itself. If anyone else has a good process or tool to update products and protect against vulnerabilities, I would love to hear from you!Describe alternatives you've considered
No response
Additional context
No response