Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: loosened package restriction on Socket.IO #100

Merged
merged 3 commits into from
Sep 7, 2023
Merged

chore: loosened package restriction on Socket.IO #100

merged 3 commits into from
Sep 7, 2023

Conversation

kjy5
Copy link
Member

@kjy5 kjy5 commented Sep 7, 2023

Urchin's package definition conflicted with Ephys Link in VBL docs because the range was too restrictive. When using ~=, defining a patch number (like 5.8.0) restricts the packages to only 5.8.x versions instead of 5.x. Ephys Link is on 5.9.0.

The better solution to this is to use dependabot which tracks security updates on packages and automatically opens PR's to update them. Ephys Link uses dependabot and then uses == version restriction to keep with exactly the version dependabot detects is safe.

To enable, add .github/dependabot.yml with the following contents

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "pip" # See documentation for possible values
    directory: "API/" # Location of package manifests
    schedule:
      interval: "weekly"

You can also add another clause for the NPM packages. In my fork of Urchin when I had enabled this it produced 2 security updates and discovered 5 security vulnerabilities (one of which was critical).

@dbirman dbirman merged commit 7e47e43 into VirtualBrainLab:develop Sep 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants