Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-31424

Merge Dependabot pull requests automatically

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.10-HF69, 2023.0, 2021.30
    • Component/s: Security

      Description

      Currently, Dependabot detects vulnerable dependencies (CVE) and creates a security alert, with an associated pull request to update the dependency version.
      These pull requests need to be approved and merged manually.
      We want the Dependabot pull requests to be automatically approved and merged if all GitHub checks pass.

      Moreover, we want to activate Dependabot version updates, to keep the packages we use updated to the latest versions. This will create pull requests regularly to bump dependencies, even though not detected as vulnerable.

      The Dependabot pull requests:

      • Will only affect minor or patch versions.
      • Won't have any Jira issue in their Git commit, we can accept this rather than having to amend the commit message, etc.

        Attachments

          Issue Links

          is related to

          Task - A task that needs to be done. NXP-31680 Merge Tomcat upgrade pull requests automatically

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Clean up - NXP-31467 Clean up obsolete Maven profiles/repositories from root POM

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: