Skip to content

Infra: Run dependabot daily for gradle, npm and docker #1364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Infra: Run dependabot daily for gradle, npm and docker #1364

wants to merge 1 commit into from

Conversation

yeikel
Copy link
Collaborator

@yeikel yeikel commented Sep 22, 2025
edited
Loading

Is there anything you'd like reviewers to focus on?

Dependencies such as Spring are highly susceptible to CVEs, so it’s important to promptly receive and merge fixes when vulnerabilities are identified. For example #1354 needed manual intervention due to this same Dependabot timing

Theoretically, Dependabot Security updates(if enabled) should be able to handle security upgrades off-the schedule. However, that heavily depends on a vetted CVE and the corresponding Dependabot alert. For new CVEs where the alert does not exist yet, this may add 2-3 days of latency

Currently, the number of Dependabot pull requests is low because of our grouping configuration, so increasing its run frequency should not create extra noise for maintainers.

I excluded GitHub actions because weekly should be fine for that ecosystem given that the CVE pressure there is low

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

A picture of a cute animal (not mandatory but encouraged)

image

@yeikel yeikel requested a review from a team as a code owner September 22, 2025 19:49
@kapybro kapybro bot added status/triage Issues pending maintainers triage scope/infra CI, CD, dev. env, etc. status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Sep 22, 2025
Haarolean
Haarolean reviewed Sep 23, 2025
View reviewed changes
Copy link
Member

@Haarolean Haarolean left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this right now. At the moment, we're limited by the number of open pull requests (30 rn) and bumping interval won't change anything unless we start to merge these PRs more often.

@yeikel
Copy link
Collaborator Author

yeikel commented Sep 23, 2025

I don't think we need this right now. At the moment, we're limited by the number of open pull requests (30 rn) and bumping interval won't change anything unless we start to merge these PRs more often.

I understand your reasoning, but I think that it'd be easier for me to tag the team in ready-to-go Dependabot security upgrades than to analyze the CVE logs, send the pull request, wait for CI and only then send the pull request for review

@Haarolean
Copy link
Member

I don't think we need this right now. At the moment, we're limited by the number of open pull requests (30 rn) and bumping interval won't change anything unless we start to merge these PRs more often.

I understand your reasoning, but I think that it'd be easier for me to tag the team in ready-to-go Dependabot security upgrades than to analyze the CVE logs, send the pull request, wait for CI and only then send the pull request for review

If the bump is CVE-related, these rules (grouping and PR limits) are ignored and PRs are raised as a separate bumps

@yeikel
Copy link
Collaborator Author

yeikel commented Sep 23, 2025
edited
Loading

If the bump is CVE-related, these rules (grouping and PR limits) are ignored and PRs are raised as a separate bumps

Yes, but see this point:

Theoretically, Dependabot Security updates(if enabled) should be able to handle security upgrades off-the schedule. However, that heavily depends on a vetted CVE and the corresponding Dependabot alert. For new CVEs where the alert does not exist yet, this may add 2-3 days of latency

That's why I discovered and created #1354 before the dependabot pull request was created

@yeikel
Infra: Run dependabot daily for gradle, npm and docker
ef77211 
Dependencies like Spring are very prone to CVEs and we should not delay receiving and merging fixes when CVEs are found.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Haarolean Haarolean Haarolean left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
scope/infra CI, CD, dev. env, etc. status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yeikel @Haarolean