audit log issues: review + merge dependabot's pull requests

Question

audit log issues: review + merge dependabot's pull requests

patrickp-rthinfo opened this issue 3 years ago · 3 comments

Hello,

despite cz-customizable being a dev dependency, it would be great if someone with write access could review + merge the pull requests filed by dependabot. As of now, cz-customizable is flagged within npm audit for having several vulnerable dependencies (some of them direct, some transitive).

Answer 1 · 2022-07-02T13:15:36.000Z

yes, I am keen to improve he security @patrickp-rthinfo.
I've been merging some upgrade PR's.
How can we proceed? any suggestions?

Answer 2 · 2022-07-02T18:47:27.000Z

Personally, I like snyk. You might also consider dependency tracker.

Answer 3 · 2022-07-03T02:54:03.000Z

I created a PR to add Trivy yesterday: #194 (still open)
What do you think about Trivy. That's what we are using at work. Is snyk better than trivy?

This repo also has codeQL.

Your initial question was around dependency and sec. Yes, I am going to address both.

I created a PR to remove several: #188
I updated all dependencies: #195
converted all tests to Jest (code coverage is still a WIP)