https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40778
--- Comment #5 from Paul Derscheid <[email protected]> --- I am also not sure yet, whether the template for the bugzilla report makes sense as it is. I thought about splitting this by severity. But on the other hand, we probably don't want to scatter dozens of bugs that all just address a single dependency update. So keeping this in one bug "per run" with findings and updating with patches per finding is probably cleaner. Not sure yet, whether this should be automated, or if it's better if a person (me for example :)) just takes the report and manually creates a bug after the run and only creates a new one if new findings pop up. In summary, I am not sure yet about the actual workflow based on this, but would recommend: - CI runs: - Audit lists - Vulnerable packages - Outdated packages - Report is generated - Is translated into a Bug - Then start fixing by severity what is easily fixable (no major version upgrades) - Create targeted bugs for vulnerable packages that need a major upgrade - Then start fixing the outdated ones in the same manner - Every action depends a bit on whether the dependency is actually in the production build or just a devDependency (we need to maybe review if these are sorted into the right bins right now) - Production dependencies need to be prioritized - Dev dependencies can be evaluated after - Once we did the initial cleanup, this will surface a lot less issues but I am not sure how long this will take - We already have some deps, where we are 3 major versions behind - This then also requires the dev to review upstream what actually happened - If we depend on something outdated that requires a big refactor and it's not vulnerable in a way that's actually exploitable, it's debatable of whether it's worth the effort to upgrade -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
