Enable Dependabot for NPM packages

[donpui]

Enable Github Dependabot for NPM packages to scan for security issues with packages.

For discussion, should we configure only production packages scanning or also devDependencies?

[donpui]

@btlogy may be you could look at this issue?

[btlogy]

I just had a quick look. And my first impressions are:

• Dependabot encompasses 3 different features: alerts, security and version updates. Are we talking only about alerts in this issue @donpui?
• Dependabot features can be enabled only by repository owners or people with admin access, which I don't have (yet) in this repository.
• Dependabot feature do not seems to be configurable via the Terraform module we are using today.

@wuan, can you give us some guidance on how to go further here?

As for the discussion, I'm not sure there is a way to scan only production packages. In a repository I'm testing, it seems like we can only enable or disable the Dependabot Alert feature. Not much to configure there.
This being said, my experience with GitHub features is still a WiP...

[donpui]

I was more thinking about security alerts. There are possibility to configure via Github interface, but maybe it is possible to configure via .yml file: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file and then push changes here?

[donpui]

Also now, if we run npm audit, it will find some issues, but if we omit=dev packages, currently there is no vulnerabilities (by npm audit). For discussion, should we enable for all packages and have pain or should we focus only for prod packages usage (which are deployed)?
FYI @JustusFT

[wuan]

Support for the security_and_analysis block seems to be on the way: mineiros-io/terraform-github-repository#143

It would be best to set this via the Terraform configuration.

[btlogy]

Support for the security_and_analysis block seems to be on the way: mineiros-io/terraform-github-repository#143

Good catch @wuan. My search results were empty there (not always indexed apparently).

[btlogy]

I was more thinking about security alerts. There are possibility to configure via Github interface, but maybe it is possible to configure via .yml file: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file and then push changes here?

This looks like a nice way to tune Dendendabot @donpui, but I think it needs to be enabled for the repository first.

[btlogy]

Also now, if we run npm audit, it will find some issues, but if we omit=dev packages, currently there is no vulnerabilities (by npm audit). For discussion, should we enable for all packages and have pain or should we focus only for prod packages usage (which are deployed)?

With this in mind, and since it is only about alerting: should we not then add a GitHub action to npm audit rather than enable Dependabot @donpui?

I'm only asking because enabling this as requested would mean using yet another platform feature we can rely on only for some of our projects (i.e.: not for PrivateStorageWeb for instance).

[donpui]

With this in mind, and since it is only about alerting: should we not then add a GitHub action to npm audit rather than enable Dependabot @donpui?

We can have a mix usage, run in Github Actions and also on Github. Github Dependabot provide some Web interface and also can create PRs.
Downside of CI, is that if there is not changes, not checks are done. Dependabot runs regularly. Although, maybe CI also can be setup regularly.

[donpui]

Lets enable Dependabot first (as it is quickest open), while we explore and make other more common via all repos approach.

[donpui]

Actually dependabot is already enabled in this repo, however only Admin level can see. Plus or not, if security check runs in CI, it could be seen for lower rights users.

[btlogy]

Nearly 2 months since mineiros-io/terraform-github-repository#143 and not yet merged...
I can push a dependabot.yml file, but I feel like I'll be poking in the dark as long as I'm not an Admin...
I'll test in a sandbox repo...

[wuan]

We can enable Dependabot manually for selected repositories so that we do not need to wait for the update and in parallel all click on the thumbs up here: mineiros-io/terraform-github-repository#145.

[donpui]

Winden it is already enabled.

[btlogy]

For the record: I've tested dependabot.yml elsewhere and this did not enable the alerting.

[wuan]

For the record: I've tested dependabot.yml elsewhere and this did not enable the alerting.

Having a look at the "Code security and analysis" section in the repo settings it looks like Dependabot is enabled:

[btlogy]

Thank you @wuan.

From this screenshot we can confirm Dependabot is enabled, but altering is disabled!
Now, when I've asked earlier:

Dependabot encompasses 3 different features: alerts, security and version updates. Are we talking only about alerts in this issue @donpui?

@donpui replied:

I was more thinking about security alerts.

Thus, is this issue really resolved?

[donpui]

Thus, is this issue really resolved?

Alerts are enabled, button shows, that you can disable :) However, they are visible in Security Dashboard, but only who have certain rights. Dependabot also allows to create PR automatically, however, this means public disclosure.

[btlogy]

Alerts are enabled, button shows, that you can disable :)

Oups...
Now I see :-p
I found that way of presenting disable/enable button a bit counter-intuitive, but I'll get used to it, I guess.
Thank you @donpui.