We need a solution to keep us on top of required npm package updates.
Status Quo:
- LibraryUpgrader2 runs on most Gerrit repositories (but not on nested packages)
- https://gerrit.wikimedia.org/r/plugins/gitiles/labs/libraryupgrader/config/+/refs/heads/master/repositories.json
- https://libraryupgrader2.wmcloud.org/vulns/npm?branch=master
- There are no email notifications for this
- Dependabot runs for most of our Github repositories (but not for nested packages?)
- There is a daily job run on jenkins for WikibaseLexeme for npm audit
- This was added in https://gerrit.wikimedia.org/r/c/573235
- This is still running https://integration.wikimedia.org/ci/job/wikibase-daily-npm-audit-daily-node10-npmaudit-docker
Speculation around approach:
- During ticket polishing we discussed the fact that a calendar event could be enough? https://en.wikipedia.org/wiki/Patch_Tuesday
- Automation of simply running npm audit could also probably be achieved with jenkins and github actions with email notifications
Acceptance criteria โบโจ :
- Know all of the places that we have package.json files that need to be audited (and their current state in temrs of audit being run)