Proposal turn on dependabot

[Br3nda]

I use @dependabot to quickly send me PRs of security upgrades in package.json Then the tests can run and generally the fix is low effort.

Let's turn it on here, so we have git master patched quickly after an advisory.

[MattiSG]

Thanks @Br3nda for the suggestion! I had a look at https://github.com/ServiceInnovationLab/legislation-explorer/pulls to see the impact of enabling dependabot.

While I am impressed with the bot itself, I am honestly feeling like this would hardly be manageable in the current resource context of this codebase. If I am to spend time updating dependencies, I would rather spend it removing as many as possible, as the whole webpack pipeline for example is out of control.

I at least can't personally commit to handling incoming updates. Is there anyone around @openfisca/core-contributors who could?

[fpagnoux]

Some dependencies are definitely getting very old, but yeah, I don't think I'd either have the bandwidth to systematically upgrade all our dependencies...

For instance, upgrading from webpack 1 to webpack 3 doesn't seem trivial to me.

Damned, we are so out of date that it became really hard to get up to date again. 😞

[MattiSG]

REMOVE WEBPACK 😜

[Br3nda]

I'll go ahead and configure it. If there are good enough tests, then it can be a very low effort - certainly less effort than patching manually.

[Br3nda]

ah, i don't have access to add app to an organisation. someone will need to do it. https://github.com/marketplace/dependabot

[bonjourmauko]

@Br3nda I just did:

Please let me know if you have any further issues.

[Br3nda]

@maukoquiroga You can configure it to just do security patches - and also to just do lock file changes.

[bonjourmauko]

I did:

Do you think we can close the issue?