Add dependabot config + use npm ci in container build#345
Open
woltspace-jerpint[bot] wants to merge 2 commits into
Open
Add dependabot config + use npm ci in container build#345woltspace-jerpint[bot] wants to merge 2 commits into
woltspace-jerpint[bot] wants to merge 2 commits into
Conversation
Two coupled changes so dependabot's PRs actually take effect. dependabot.yml covers: - npm (root package.json: ws, node-pty) - pip (server/, container/bot/, root pyproject — all PEP 621) - docker (container/Dockerfile — base image bumps) - github-actions (future-proof for when workflows land) Weekly cadence per ecosystem, 5 PRs/week cap. Vuln alerts fire instantly regardless of cadence (those are GitHub's Security tab). Dockerfile: `npm install && npm install ws node-pty` → `npm ci`. The old line had two issues: 1. `npm install` mutates the lockfile and can resolve newer versions than what's pinned, defeating the point of dependabot reviewing PRs. 2. The trailing `npm install ws node-pty` was redundant — both are in package.json — and explicitly bypassed the lockfile to fetch latest. Verified package-lock.json contains ws + node-pty so `npm ci` produces the same install. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
server/ and container/bot/ are the source of truth for runtime deps (each has its own uv.lock and is what the Dockerfile actually installs). The root pyproject is only used by the test runner — its runtime dependencies array is a hand-maintained duplicate of the per-service pyprojects, and scanning it would produce duplicate alerts. Inline comment in dependabot.yml documents the reason so this doesn't get re-added by accident. Follow-up: slim the root pyproject so its only declared deps are the test extras (pytest + pytest-asyncio). Tracked separately. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/dependabot.ymlcovering npm, pip, docker, and github-actionsnpm installtonpm ciso dependabot's lockfile updates aren't silently overridden at build timeWhy these together
Dependabot reviews changes against the lockfile. The current Dockerfile runs
npm install && npm install ws node-pty, which (a) can mutatepackage-lock.jsonmid-build and (b) the trailingnpm install ws node-ptyexplicitly bypasses the lockfile to fetch latest. Net result: dependabot would approve a pinned version, but production would still get whatever npm resolved at build time.npm cifixes that — strict lockfile install, no mutation.This also means future security PRs from dependabot land in
package-lock.jsonand actually ship.Coverage
/package.json+package-lock.json(ws, node-pty)/serverserver/pyproject.toml(FastAPI, uvicorn, jinja2, etc.)/container/bot//containernode:22-slim/Weekly cadence, max 5 PRs per ecosystem. Vulnerability alerts fire instantly regardless (those are surfaced via the Security tab, separate from version-bump PRs).
What this does NOT cover
Dependabot only sees manifest-level deps. It can't see:
curl, git, gosu, ...)worktuigit cloneThat layer needs an image scanner (trivy/grype) — separate PR proposed but not included here.
Test plan
npm ci—docker build -f container/Dockerfile container/completespackage-lock.jsonafter rebuild (git diffclean)