Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dependabot updates for September #1796

Closed
cantsin opened this issue Sep 18, 2024 · 7 comments
Closed

dependabot updates for September #1796

cantsin opened this issue Sep 18, 2024 · 7 comments
Assignees
@nateborr

Comments

@cantsin
Copy link
Member

cantsin commented Sep 18, 2024

We have some fairly complicated library updates that need looking into:

  • djangorestframework update seems to break tests
  • websocket and puppeteer both need to be updated in tandem
  • certifi needs to be updated but dependabot can't seem to actually create a PR
  • And whatever else is in the "Security" -> "Dependabot alerts" section
@nateborr nateborr self-assigned this Sep 27, 2024
@nateborr
Copy link
Member

If at all possible I'd like to resolve our Tock monitoring issues in #1792 before applying these updates, so that we'll be able to detect errors and other unexpected behavior in production when we apply these library updates.

@nateborr
Copy link
Member

I'll proceed with these updates. #1792 has been resolved, we have application monitoring for Tock again, and the batch of minor package updates since June 11 2024 has been deployed.

@nateborr nateborr mentioned this issue Oct 11, 2024
Closed
9 tasks
@nateborr
Copy link
Member

I've run into multiple issues trying to apply the library updates piecemeal and discussed next steps with @neilmb :

  • We're currently using Pipenv for Python dependency management in Tock, but that tool does not readily allow you to update an individual package and its dependency tree, without resolving and applying all available updates to the package specifications in the project's Pipfile.
  • For this current set of updates, I'm going to do what the team has generally done in similar situations in the past, and attempt to apply all the package updates simultaneously.
  • @neilmb is opening a follow-up issue proposing that we migrate Tock to use Poetry for dependency management, and document that process.

@neilmb neilmb mentioned this issue Oct 18, 2024
Open
@nateborr
Copy link
Member

The Python library updates have been applied and released: https://github.com/18F/tock/releases/tag/v20241021.1

I'm still working on resolving issues with the Node library issues in #1819.

@nateborr
Copy link
Member

#1819 to resolve the Node package update has been merged and looks healthy in staging so far. The primary change is to the automated testing that runs during our CircleCI build and deploy process and those jobs look healthy too. I'll kick the tires a little more and plan to release the change to production early next week.

I'll also capture a follow-up ticket to investigate stabilizing our browser-based integration testing, since the current Jest/Puppeteer based setup has some brittle elements. Once that's captured and the immediate changes are fully deployed, I'll mark this ticket as resolved.

@nateborr nateborr mentioned this issue Oct 25, 2024
Open
@nateborr
Copy link
Member

I've opened #1822 as a follow-up issue.

@nateborr
Copy link
Member

This is fully deployed to production with https://github.com/18F/tock/releases/tag/v20241031.1 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nateborr nateborr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nateborr @cantsin @edwintorres