From 48cf8627a30319962368885cd628262ce3f7f6d1 Mon Sep 17 00:00:00 2001 From: "Andi P @ CoreMedia" Date: Tue, 20 Aug 2024 17:26:40 +0200 Subject: [PATCH 1/5] Explicitly managing packageManager ... to re-enable dependency collection by Dependabot. See https://github.com/dependabot/dependabot-core/pull/10073 --- package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/package.json b/package.json index 8b414c0fdd..67fa12e3ab 100644 --- a/package.json +++ b/package.json @@ -11,6 +11,7 @@ "node": "20", "pnpm": "^9.4" }, + "packageManager": "pnpm@9.4.0" "private": true, "description": "Plugins required or recommended to use CKEditor 5 within CoreMedia Studio.", "keywords": [ From 88cde4d0ad1d3b01349687c25c018879f6a77d55 Mon Sep 17 00:00:00 2001 From: "Andi P @ CoreMedia" Date: Tue, 20 Aug 2024 17:32:50 +0200 Subject: [PATCH 2/5] Add missing comma --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 67fa12e3ab..df468b8761 100644 --- a/package.json +++ b/package.json @@ -11,7 +11,7 @@ "node": "20", "pnpm": "^9.4" }, - "packageManager": "pnpm@9.4.0" + "packageManager": "pnpm@9.4.0", "private": true, "description": "Plugins required or recommended to use CKEditor 5 within CoreMedia Studio.", "keywords": [ From 54794a96a077fe34391a246213d092a632921fab Mon Sep 17 00:00:00 2001 From: "Andi P @ CoreMedia" Date: Wed, 21 Aug 2024 13:13:26 +0200 Subject: [PATCH 3/5] Create dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..5f0889ce91 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file + +version: 2 +updates: + - package-ecosystem: "npm" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From 47594a15b9d58bef2d2936df5ad0adb1bb36c127 Mon Sep 17 00:00:00 2001 From: "Andi P @ CoreMedia" Date: Wed, 21 Aug 2024 13:16:24 +0200 Subject: [PATCH 4/5] Update on_pull_request_push.yml Adding dependency-review to jobs --- .github/workflows/on_pull_request_push.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/on_pull_request_push.yml b/.github/workflows/on_pull_request_push.yml index f64248d2b0..798ac102fa 100644 --- a/.github/workflows/on_pull_request_push.yml +++ b/.github/workflows/on_pull_request_push.yml @@ -55,3 +55,13 @@ jobs: secrets: inherit with: doc: true + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v4 + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + # Possible values: "critical", "high", "moderate", "low" + fail-on-severity: critical, high From 22aa7ad0fa587eaa42df045980d5302945a40b55 Mon Sep 17 00:00:00 2001 From: "Andi P @ CoreMedia" Date: Wed, 21 Aug 2024 13:18:49 +0200 Subject: [PATCH 5/5] Update on_pull_request_push.yml Update fail-on-severity to match documentation --- .github/workflows/on_pull_request_push.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/on_pull_request_push.yml b/.github/workflows/on_pull_request_push.yml index 798ac102fa..ee7404e38c 100644 --- a/.github/workflows/on_pull_request_push.yml +++ b/.github/workflows/on_pull_request_push.yml @@ -64,4 +64,4 @@ jobs: uses: actions/dependency-review-action@v4 with: # Possible values: "critical", "high", "moderate", "low" - fail-on-severity: critical, high + fail-on-severity: critical