Dependency Sweep - triage dependabot alerts and make actionable upgrades

Question

Dependency Sweep - triage dependabot alerts and make actionable upgrades

Closed this issue 8 months ago · 0 comments

User story / feature request

As a maintainer of Cal-ITP systems, I want our dependencies to be as up to date as they reasonably can be in order to avoid painful multiple-major-version upgrades and security issues down the road.

Acceptance Criteria

All reasonably updateable dependencies (those not tied closely to a major infra upgrade, like the switch to Composer 2) should be brought up to their latest version that is supported well by other dependencies in a given Cal-ITP service.

Notes

Out of date dependencies can be evaluated via dependabot alerts. A few such alerts are tied to infra that needs careful planning to upgrade, and dependabot PRs are so atomic that they are usually not very handy to merge en masse due to CI actions, so the approach outlined here may be ideal.