Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve old dependency PRs #226

Closed
4 tasks done
kyleecodes opened this issue Nov 16, 2023 · 0 comments
Closed
4 tasks done

Resolve old dependency PRs #226

kyleecodes opened this issue Nov 16, 2023 · 0 comments
Assignees
@kyleecodes
Labels
dependencies Pull requests that update a dependency file priority: now Should be prioritized immediately.
Milestone
01. Compliance & ...

Comments

@kyleecodes
Copy link
Member

kyleecodes commented Nov 16, 2023
edited

Overview

We need to clean up this repo's pull requests, specifically the PRs opened by Dependabot & Snyk, because many are outdated and contain high severity dependency alerts.

Action Items

  • Manually resolve PRs opened by Snyk. Snyk no longer has access to Chayn's repos because we use Dependabot now, since Snyk won't be able to interact with these PRs any further, we will need to make these changes manually.
  • Resolve dependabot alerts. Approve their workflow runs and resolve any merge conflicts. Locally test these changes. If they pass all tests, merge these PRs. If the tests don't pass, keep the PR open for future reference. If there are repeat PRs for the same dependency, try to merge the highest version possible and close the rest.
  • Open new issues and triage with staff software engineers for dependency upgrades that result in test failures.
  • Resolve dependabot alerts.

Note: there is a workflow from Snyk called security/snyk (chaynteam) that is required for merging, please bypass this requirement as Snyk has been removed from this repo and can no longer access it.

Resources

To resolve remaining dependency alerts, nextjs must be updated.
@kyleecodes kyleecodes added the dependencies Pull requests that update a dependency file label Nov 16, 2023
@kyleecodes kyleecodes added this to the 01. Compliance & Security milestone Nov 16, 2023
@chaynHQ chaynHQ deleted a comment from github-actions bot Nov 16, 2023
@kyleecodes kyleecodes self-assigned this Dec 27, 2023
@kyleecodes kyleecodes added the priority: now Should be prioritized immediately. label Dec 27, 2023
@kyleecodes kyleecodes changed the title Resolve old dependency PRs: high and critical severity Resolve old dependency PRs Dec 27, 2023
@kyleecodes kyleecodes mentioned this issue Dec 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kyleecodes kyleecodes

Labels
dependencies Pull requests that update a dependency file priority: now Should be prioritized immediately.
Projects
None yet
Milestone
01. Compliance & Security
Development

No branches or pull requests
1 participant
@kyleecodes