-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Re-enable Dependabot security updates #1071
Commits on Aug 3, 2022
-
WIP: Re-enable Dependabot security updates
GitHub automatically opts all qualifying repos in for security updates, but this gets overwritten by the presence of a `dependabot.yml` file, which we have in most repos. We’ll therefore need to edit the Dependabot config to fix security related PRs not being raised. It’s not immediately clear from the docs exactly what’s needed to opt in, but we believe our use of an allow-list may be the issue. We get some value from configuring Dependabot to raise fewer PRs (i.e. only update the dependencies we care about), but we need security updates for _all_ dependencies, so this commit is an attempt to write a rule that allows security PRs but won’t affect the rest of our config. See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file Trello: https://trello.com/c/nqliwwxV/2952-investigate-how-to-fix-dependabot-not-raising-security-prs
Configuration menu - View commit details
-
Copy full SHA for 90b893c - Browse repository at this point
Copy the full SHA 90b893cView commit details -
WIP: Switch brakeman policy from 'direct' to 'all'
We think Brakeman is only raising security PRs for direct dependencies, so if a security vulnerability exists in a subdependency, we're not getting PRs. This commit should fix that.
Configuration menu - View commit details
-
Copy full SHA for 9d0b8d8 - Browse repository at this point
Copy the full SHA 9d0b8d8View commit details -
Bump brakeman from 5.2.1 to 5.2.3
Bumps [brakeman](https://github.com/presidentbeef/brakeman) from 5.2.1 to 5.2.3. - [Release notes](https://github.com/presidentbeef/brakeman/releases) - [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md) - [Commits](presidentbeef/brakeman@v5.2.1...v5.2.3) --- updated-dependencies: - dependency-name: brakeman dependency-type: indirect update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Configuration menu - View commit details
-
Copy full SHA for 63f390e - Browse repository at this point
Copy the full SHA 63f390eView commit details -
Bump gds-api-adapters from 81.0.3 to 81.0.4
Bumps [gds-api-adapters](https://github.com/alphagov/gds-api-adapters) from 81.0.3 to 81.0.4. - [Release notes](https://github.com/alphagov/gds-api-adapters/releases) - [Changelog](https://github.com/alphagov/gds-api-adapters/blob/main/CHANGELOG.md) - [Commits](alphagov/gds-api-adapters@v81.0.3...v81.0.4) --- updated-dependencies: - dependency-name: gds-api-adapters dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Configuration menu - View commit details
-
Copy full SHA for 9848484 - Browse repository at this point
Copy the full SHA 9848484View commit details -
EDIT: misunderstood. Reverting.
This only defines whether we want to get PRs for subdependencies of brakeman.
Configuration menu - View commit details
-
Copy full SHA for 129e96e - Browse repository at this point
Copy the full SHA 129e96eView commit details
Commits on Aug 4, 2022
-
WIP: specify a target-branch to allow security PRs back through
According to [the docs](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#target-branch), Dependabot will ignore the configs in dependabot.yml for security PRs, if a target-branch has been set to something other than the default branch. I'm hoping to accomplish two things with these changes: 1) Allow security PRs through again (even if they are for dependencies not on the `allow` list) 2) Have a way of distinguishing between security and non security related PRs (by the absence of the new `not-security` label). Apart from the verbosity of the config, this does cause one new issue: what to do with the `latest-dependencies` branch (we'll definitely have to automate merging that to `main`, or at least automate opening a PR to `main`). We'll also need to figure out what happens if the `latest-dependencies` branch has not been created yet.
Configuration menu - View commit details
-
Copy full SHA for e4547d8 - Browse repository at this point
Copy the full SHA e4547d8View commit details -
Test: downgrade to Rails version with known vulnerability
This was fixed in #1064. An ActiveRecord vulnerability existed which was fixed by a patch in Rails. By removing it, I'm hoping Dependabot will raise a PR to patch Rails again. This time, however, I've also removed Rails (and related gems) from the allow-list, which previously would have stopped the security PR from being raised. Now that we have the `target-branch` workaround, I'm hoping the PR will be raised. I will need to recreate the `latest-dependencies` branch from this branch first, and then trigger a Dependabot scan.
Configuration menu - View commit details
-
Copy full SHA for be7b5e3 - Browse repository at this point
Copy the full SHA be7b5e3View commit details
Commits on Aug 15, 2022
-
Merge pull request #1072 from alphagov/dependabot/bundler/brakeman-5.2.3
Bump brakeman from 5.2.1 to 5.2.3
Configuration menu - View commit details
-
Copy full SHA for ab30138 - Browse repository at this point
Copy the full SHA ab30138View commit details -
Merge pull request #1073 from alphagov/dependabot/bundler/gds-api-ada…
…pters-81.0.4 Bump gds-api-adapters from 81.0.3 to 81.0.4
Configuration menu - View commit details
-
Copy full SHA for 724e432 - Browse repository at this point
Copy the full SHA 724e432View commit details