Complete Dependabot dependency updates #3065
Comments
abroddrick
changed the title
|
@lizpearl
And dismiss or not resolve the following warning:
|
github-project-automation
bot
moved this from 👀 In review
to ✅ Done
in .gov Product Board
|
@erinysong it's unclear to me that the first acceptance criteria was met here. Can you explain why that initial link still has several vulnerable dependencies? If sensitive, feel free to share elsewhere. cc: @lizpearl @abroddrick |
|
thank you for the heads up @h-m-f-t. hm it looks duplicate warnings got created for each dependabot vulnerability. For example open warning 116 is identical to the resolved warning 117. Just cross checked with every open dependency and aside from the exceptions listed above, each one has an identical vulnerability warning marked as fixed. I would lean resolving the duplicate vulnerability warnings that didn't get marked fixed since updating our dependencies should resolve them but also open to other suggestions |
|
Thanks Erin! That makes sense. |
|
update - I was wrong and the open issues were actually because the warnings were being caught in different files. Manually updating our Python dependencies should fix this and will do that right now. Thank you @lizpearl for finding the source! |
|
Open Django warnings have been resolved in #3277 - thank you for bringing this to attention! |
Issue description
In this repo's security tab, we have several updates that have come in for packages we use. Let's update these.
Some of these updates are for the same package; only the most recent upgrade needs to be applied. For instance, there are several django updates that call out updating to 4.2.14 and then later ones mention 4.2.15. We'll just go to the latest version.
Acceptance criteria
Additional context
No response
Links to other issues
No response
The text was updated successfully, but these errors were encountered: