Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spike/1451 investigate dependabot setup config #6291

Closed
wants to merge 9 commits into from
Closed

Spike/1451 investigate dependabot setup config #6291

wants to merge 9 commits into from

Conversation

ssrome
Copy link
Collaborator

@ssrome ssrome commented Jul 11, 2024
edited
Loading

Work done

  • Change dependabot config to target main branch with pr limit of 5
  • Grouped patch updates for dependabot to create less PRs
  • Bump express from 4.18.2 to 4.19.2 in /frontend
  • Bump follow-redirects from 1.15.3 to 1.15.6 in /frontend
  • Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend

Tests

Does this PR include tests for the changes introduced?

  • Yes
  • No, I found it difficult to test
  • No, they are not required for this change

dependabot bot and others added 8 commits March 16, 2024 22:05
@dependabot
Bump follow-redirects from 1.15.3 to 1.15.6 in /frontend
383f536 
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.3 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.3...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend
8bf4a9b 
Bumps [webpack-dev-middleware](https://github.com/webpack/webpack-dev-middleware) from 5.3.3 to 5.3.4.
- [Release notes](https://github.com/webpack/webpack-dev-middleware/releases)
- [Changelog](https://github.com/webpack/webpack-dev-middleware/blob/v5.3.4/CHANGELOG.md)
- [Commits](webpack/webpack-dev-middleware@v5.3.3...v5.3.4)

---
updated-dependencies:
- dependency-name: webpack-dev-middleware
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump express from 4.18.2 to 4.19.2 in /frontend
4b8c63c 
Bumps [express](https://github.com/expressjs/express) from 4.18.2 to 4.19.2.
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

---
updated-dependencies:
- dependency-name: express
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@ssrome
Change target branch and limit in dependabot.yml
fc6b362
@ssrome
Merge pull request #6162 from NMDSdevopsServiceAdm/dependabot/npm_and…
6edc0f1 
…_yarn/frontend/express-4.19.2

Bump express from 4.18.2 to 4.19.2 in /frontend
@ssrome
Merge pull request #6128 from NMDSdevopsServiceAdm/dependabot/npm_and…
8e99b2d 
…_yarn/frontend/follow-redirects-1.15.6

Bump follow-redirects from 1.15.3 to 1.15.6 in /frontend
@ssrome
Merge pull request #6139 from NMDSdevopsServiceAdm/dependabot/npm_and…
e43804f 
…_yarn/frontend/webpack-dev-middleware-5.3.4

Bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /frontend
@ssrome
Add group for patch updates in dependabot.yml
72cbc6a
@ssrome ssrome marked this pull request as ready for review July 12, 2024 09:10
@ssrome ssrome changed the base branch from main to feat/1497-update-critical-npm-dependencies September 2, 2024 15:55
@ssrome ssrome changed the base branch from feat/1497-update-critical-npm-dependencies to main September 2, 2024 15:55
@kapppa-joe kapppa-joe changed the base branch from main to fix/searchUsers September 2, 2024 15:56
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 2, 2024
View reviewed changes
backend/server/models/classes/user.js Outdated

_log(level, msg) {
if (this._logLevel >= level) {
console.log(`TODO: (${level}) - User class: `, msg);

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This logs sensitive data returned by
an access to isPasswordValid
Loading
as clear text.
@kapppa-joe kapppa-joe changed the base branch from fix/searchUsers to main September 2, 2024 15:56
@ssrome ssrome closed this Sep 2, 2024
@ssrome ssrome deleted the spike/1451-investigate-dependabot-setup-config branch September 2, 2024 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@duncanc19 duncanc19 duncanc19 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ssrome @duncanc19