You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate, npm audit, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).
Acceptance Criteria
dependency specification removed from Dockerfile, GitHub Action workflow files, etc.
Usability tests passed - this user story should be easy to use by real users
Code refactored for clarity - code must be clean, self-documenting code
Dependency Rule followed - higher-level code should not depend directly on lower-level code
Source code merged
Unit test coverage of our code > 90%
Security reviewed and reported - includes vulnerability and compliance scanning
Code quality checks passed
Build process updated if needed
API documentation updated if needed
Additional Information
If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"
steps:
- uses: actions/setup-node@v4
- run: npm ci
This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from
RUN npm install ...
to
WORKDIR /destination/
COPY file /destination/
RUN npm ci
Describe the User Story
As a security engineer, so that Node dependencies can be managed by automated tooling (e.g., Depenabot, Renovate,
npm audit
, etc.), I would like Node dependencies specifications to be removed from source files (e.g., the Dockerfile) and placed, instead, in a file intended for dependency tracking (e.g., package.json).Acceptance Criteria
Definition of Done
Additional Information
If a package.json (or similar.. whatever) approach is used, the setup action becomes more generalized from "install this version of this package" to "install the required dependencies"
This applies not only to GitHub Actions at runtime, but also Docker image builds. So, it would go from
RUN npm install ...
to
Related Feature Request
#257
The text was updated successfully, but these errors were encountered: