Hey all, The pre-release security checklist for the payments server (issue #1128) suggests that we hook up a dependency management service, like Greenkeeper, Dependabot, or Renovate.
Of the three options, Renovate is the most flexible. It lets us limit the total number of dependency update PRs open at a given time, limit the rate at which new PRs are created, and schedule how often it runs. Renovate is also monorepo-aware, and it can be configured to match or ignore files/directories within a repo. In PR #1908[1], I've hooked up Renovate to run once a week, only open 2 PRs at a time, and only scan dependencies in the fxa-payments-server package. We can easily enable it for other packages in the monorepo in the future. If anyone has comments or questions, feel free to reply to this thread or comment on the PR[1]. Cheers, Jared [1] https://github.com/mozilla/fxa/pull/1908
_______________________________________________ Dev-fxacct mailing list Dev-fxacct@mozilla.org https://mail.mozilla.org/listinfo/dev-fxacct