From 7b1fe3156df9be12e58ff33e59cdc2d9d0a005be Mon Sep 17 00:00:00 2001 From: Jonathan Yu Date: Fri, 12 Mar 2021 11:46:18 -0800 Subject: [PATCH] chore: use dependabot to manage dependencies (#2830) Use dependabot to manage the dependencies defined in package.json and GitHub Actions workflows, so that we can proactively update versions. Outdated versions of third-party dependencies frequently have known security vulnerabilities with CVEs. --- .github/dependabot.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..bd36fd256 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "11:00" + assignees: + - "jawnsy" + reviewers: + - "jawnsy" + ignore: + # GitHub always delivers the latest versions for each major + # release tag, so handle updates manually + - dependency-name: "actions/*" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + time: "11:00" + assignees: + - "jawnsy" + reviewers: + - "jawnsy"