Dependency Sweep - triage dependabot alerts and make actionable upgrades
Closed this issue · 0 comments
User story / feature request
As a maintainer of Cal-ITP systems, I want our dependencies to be as up to date as they reasonably can be in order to avoid painful multiple-major-version upgrades and security issues down the road.
Acceptance Criteria
All reasonably updateable dependencies (those not tied closely to a major infra upgrade, like the switch to Composer 2) should be brought up to their latest version that is supported well by other dependencies in a given Cal-ITP service.
Notes
Out of date dependencies can be evaluated via dependabot alerts. A few such alerts are tied to infra that needs careful planning to upgrade, and dependabot PRs are so atomic that they are usually not very handy to merge en masse due to CI actions, so the approach outlined here may be ideal.