Electron based on a severity vulnerability (develop) #3207
Conversation
|
We usually update dependencies shortly before the release. Might be a good time to update the other dependencies in this pr too, can you do that? (Only minor and patch versions though) |
|
humm... sure I wondered if you had "dependabot", naturally yes But he's weird Why do you use Actual result, it's check nothing. I just replace with
Insights -> Dependency graph -> Dependabot I ask myself the question, is this intended or not? |
|
maybe it's why you have never any |
Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) from 29.6.4 to 29.7.0. - [Release notes](https://github.com/jestjs/jest/releases) - [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md) - [Commits](https://github.com/jestjs/jest/commits/v29.7.0/packages/jest) --- updated-dependencies: - dependency-name: jest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [sinon](https://github.com/sinonjs/sinon) from 15.2.0 to 16.0.0. - [Release notes](https://github.com/sinonjs/sinon/releases) - [Changelog](https://github.com/sinonjs/sinon/blob/main/docs/changelog.md) - [Commits](sinonjs/sinon@v15.2.0...v16.0.0) --- updated-dependencies: - dependency-name: sinon dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [electron](https://github.com/electron/electron) from 26.1.0 to 26.2.2. - [Release notes](https://github.com/electron/electron/releases) - [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md) - [Commits](electron/electron@v26.1.0...v26.2.2) --- updated-dependencies: - dependency-name: electron dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [playwright](https://github.com/Microsoft/playwright) from 1.37.1 to 1.38.1. - [Release notes](https://github.com/Microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.37.1...v1.38.1) --- updated-dependencies: - dependency-name: playwright dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint-plugin-jest](https://github.com/jest-community/eslint-plugin-jest) from 27.2.3 to 27.4.0. - [Release notes](https://github.com/jest-community/eslint-plugin-jest/releases) - [Changelog](https://github.com/jest-community/eslint-plugin-jest/blob/main/CHANGELOG.md) - [Commits](jest-community/eslint-plugin-jest@v27.2.3...v27.4.0) --- updated-dependencies: - dependency-name: eslint-plugin-jest dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc) from 46.5.1 to 46.8.2. - [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases) - [Changelog](https://github.com/gajus/eslint-plugin-jsdoc/blob/main/.releaserc) - [Commits](gajus/eslint-plugin-jsdoc@v46.5.1...v46.8.2) --- updated-dependencies: - dependency-name: eslint-plugin-jsdoc dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [eslint](https://github.com/eslint/eslint) from 8.48.0 to 8.50.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v8.48.0...v8.50.0) --- updated-dependencies: - dependency-name: eslint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
|
should I reverse |
Codecov Report
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. @@ Coverage Diff @@
## develop #3207 +/- ##
========================================
Coverage 25.19% 25.19%
========================================
Files 54 54
Lines 11933 11933
========================================
Hits 3007 3007
Misses 8926 8926 |
oh it does check. the github actions we use. so, not sure of having dependabot check our npm dependencies too will result in too much noise. maybe worth checking out. so, please revert your change and maybe open a new PR with adding another entry in dependabot for npm dependencies |
.github/dependabot.yaml
Outdated
| @@ -1,6 +1,6 @@ | |||
| version: 2 | |||
| updates: | |||
| - package-ecosystem: "github-actions" | |||
| - package-ecosystem: "npm" | |||
There was a problem hiding this comment.
So... I don't understand why this file because dependency-review for test suite is there
I think create an dependabot monthly is not bad.
sure... we have to check all dependency found but it can help
- a little time saving
- just checking is dependency is on package.json (for not update an sub-dependency)
- able to test the dependabot branch
in all case i will reverse it
Like mentioned [there](#3207 (comment)) I open an PR with npm dependabot (every monthly) It might be interesting to have an overview every month --------- Co-authored-by: Veeck <[email protected]>
I just see
electronpackage used in develop branch have1 high severity vulnerabilityDetail is there
We can patch it with electron v26.2.2 (last version at this day) and will correct it
(ChangeLog is not needed in this case)