Dependabot automatically scans the composer.json
, composer.lock
, package.json
, and package-lock.json
files to make sure packages are up to date. This document describes the process for reviewing and merging dependabot updates. Dependabot functionality is described on the Github documentation page
The package va-gov/content-build
is the va.gov content build. This PR can be merged if all tests pass. No other work is needed.
Updates from packagist and npm with release notes will have collapsed sections containing the details release notes and commits.
Example PR: department-of-veterans-affairs#6069
Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.
Most of the time the release notes will be automatically added. In the cases where they are not, go to packagist/npm/github and add links to the release notes.
Here is an example: department-of-veterans-affairs#5665
To find the release notes, first start with the packagist/npm package which will link to the source code repository. For the example above, phpmailer is found here: https://packagist.org/packages/phpmailer/phpmailer
Dependabot PRs created for Drupal packages will not have release notes or diff. These can be created manually using the following pattern:
Release Notes: (one link to each of the releases between current and suggested)
- https://www.drupal.org/project/<project>/releases/<release>
Diff: https://git.drupalcode.org/project/<project>/-/compare/<current_release>...<suggested_release>
Example: department-of-veterans-affairs#5651
Blazy module updating from version 8.x-2.2 to 8.x-2.4
Release Notes:
* https://www.drupal.org/project/blazy/releases/8.x-2.4
* https://www.drupal.org/project/blazy/releases/8.x-2.3
Diff: https://git.drupalcode.org/project/blazy/-/compare/8.x-2.2...8.x-2.4?from_project_id=59405
Review the release notes and determine if manually testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.
It's also useful to review the code diff to look for any API/method changes and see if we use any of the changed code.
The pull request events dispatched from GitHub to Tugboat cross the TIC; therefore, they are subject to inspection and rejection for possibly harmful content. As of now (February 2023), a rejected request still has a 200 HTTP status code, making this difficult to detect.
If a pull request's body contains code, it is possible that this will be interpreted as an attempt at server-side code injection. For instance, if the message contains "We started using filter_var()
to check if a variable is boolean.", it may be flagged as attempting PHP code injection and rejected transparently, regardless of the surrounding text.
The result is that Tugboat will not receive the message and consequently will not know to deploy a PR preview environment, and so the complete suite of tests will not run.
In this case, commenting @dependabot recreate
will probably not have any effect. Rather, enter the Tugboat interface, find the branch in the "available to build" list, and build it manually. The tests will run and work should proceed normally from that point.