Skip to content
This repository was archived by the owner on Oct 2, 2025. It is now read-only.

Commit b60b0c4

Browse files
acwhite211acwhite211
authored
Create fixing_dependabot_issues.md
1 parent 2c530b2 commit b60b0c4

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

sphinx/developer_utils/fixing_dependabot_issues.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
## Dependabot Issues
2+
3+
Dependabot will identify the problematic library, and give the minimal version of the library that is need to resolve the security vulnerability.
4+
5+
Dependabot will describe the security vulnerability that has been found in the dependency. It provide the urgentcy of the vulnerability, like 'critical', 'high', and 'moderate'. Critical vulnerabilities need to be resolved as soon as possible, usually by the next Specify release.
6+
7+
## Upgrading Dependencies
8+
9+
### Upgrading a front-end javascript/typescript library with npm
10+
11+
Use the `npm ls` to check out the versions and dependency chains of a library. Here's an example
12+
```bash
13+
npm ls loader-utils
14+
specify7-frontend@1.0.0 /Users/username/git/specify7/specifyweb/frontend/js_src
15+
├─┬ babel-loader@8.2.5
16+
│ └── loader-utils@2.0.2
17+
├── loader-utils@3.2.1
18+
└─┬ worker-loader@3.0.8
19+
└── loader-utils@2.0.0
20+
```
21+
22+
After editing the package.json, run `npm i` to update the package-lock.json file.
23+
24+
Upgrade the dependencies as needed to prevent older versions of libraries with security vulnerabilities.
25+
26+
Usually, it is best to upgrade the library to the minimum version of the library that is compliant with the vulnerability fix. This minimize the risk of the upgrade making breaking changes to the code.
27+
28+
For indirect dependencies that need upgraded, an override of the version might be needed to be made in the package.json file.
29+
30+
After verifying that all unit tests have passed, do some general testing to ensure there are no breaking changes. Try searching the codebase to see where the library is used in order to focus testing on use cases that are more likely to be affected.
31+
32+
### Upgrading a back-end python library
33+
34+
Similar to the process of upgrading a front-end dependency. Upgrade the problematic library in the `requirements.txt` file.
35+
36+
Once the requirements have been changed, run `docker compose up --build` to rebuild the project. Make sure that the project builds without any errors and that all unit tests have passed. Then, general testing can be done to ensure no breaking changes have been made.
37+
38+
Most upgrades can be straight forward, but complications can arise when one upgrade necessitates other library upgrades.

0 commit comments

Comments
 (0)