Since there are so many untrusted dependencies used in the typescript code, vulnerabilities can be found at any time and we need to be able to quickly update the impacted dependencies when this happens.
Dependabot is now native to Github 👏
This means all we need to do is add a new dependabot.yml file under the .github directory. Within the config we can specify the config where the dependencies are managed. For example the location of package.json for nodejs. Additionally/conveniently if using Yarn workspaces Dependabot should automatically handle package.json files in subdirectories of the workspace (as noted here https://github.com/dependabot/dependabot-core/issues/603)!
Questions
Is daily an appropriate interval? From examples this seems pretty typical
PR
Description
Via @tynes:
Dependabot is now native to Github 👏 This means all we need to do is add a new
dependabot.yml
file under the.github
directory. Within the config we can specify the config where the dependencies are managed. For example the location of package.json for nodejs. Additionally/conveniently if using Yarn workspaces Dependabot should automatically handle package.json files in subdirectories of the workspace (as noted here https://github.com/dependabot/dependabot-core/issues/603)!Questions
Metadata
Fixes
Contributing Agreement