-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot updates for eslint, djlint, uswds, and postcss-cli #1715
Conversation
Terraform plan for management No changes. Your infrastructure matches the configuration.
✅ Plan applied in Deploy to Development and Management Environment #70 |
Terraform plan for dev No changes. Your infrastructure matches the configuration.
✅ Plan applied in Deploy to Development and Management Environment #70 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't know what our process will be for these.
Ultimately, our staged deploy process will answer a lot of questions:
- Will the PR commit/deploy to
main
fail? If so, that will blockstaging
. - Will the daily to
staging
fail? If so, we'll know.
So, really, the updates on versions to appease our robotic overlords (I, for one, welcome them) seem like we should test locally, and bring them through. I don't know that we have another way to test.
@asteel-gsa , if you think there's a better way, give a shout.
@danswick thanks for grabbing these updates, much appreciated. @jadudm I brought this up in one of the dev huddles when stylelint was just the problem. RE my findings yesterday, since dependabot forks, it can't actually grab our secrets and run anything, even if it wanted. (we can enable this, but it is a rather large security concern 🤣) So... we realistically have two options.
it is going to build the container from scratch and then run tests with the new dependencies. This is a fairly safe "test" for these version bumps. Can we build the stack, and if we can, can we run our tests against it with those new versions. That is effectively what a dev would do, if they were doing this locally. Basically, what I am trying to say, is that I added this safeguard, thanks to some insight from @neilmb as a means to offset a developers need to do all of this locally. We do gain confidence if it builds in the workflow, passes, and a dev has validated that these bumps don't actually break anything from their perspective on the local stack, but.. from an automation perspective, we have a safety net for these events. Now. Dependabot creating PRs, is more of a visual reminder that we need to upgrade our dependencies. I for one don't regularly check the dependabot security tab for version bumps, but having PRs out there saying these versions are out of date, helps me, and the fact that our |
The answer I found later was to move our dependencies list into We would need someone who understands the implications on local and CI workflows better than me to make that change, though, so I was holding off on suggesting we do that ahead of other stuff on our plate that those people are already occupied with. |
Here's a summary with links and related discussion that I wrote up in another context. |
Per chat with @asteel-gsa, merging dependabot PRs is causing deploy issues. I went ahead and updated a few of the node dependencies to help clear the backlog out.
eslint: #1650
postcss-cli: #1630
uswds: #1629
djlint: #1627
There's also stylelint, but it seems to have a conflicting peer dependency.