-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EFI: Up to date packages #174
Comments
related: expressjs/express#5435 I think we need a larger discussion around how we want to approach this. For 4.x we have a long standing practice but we could consider changing it to be more update friendly going forward if we want but we need to be careful to not loose our great stability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Motivation
Keeping dependencies up to date can provide a lot of comfort for the ecosystem. First of all, following the update and changes may allows the project to be less overwhelmed, but this is also a way to keep using packages that are updated and safe/secure. By relaying on out of date packages, we may have hidden vulnerabilities that could be exploited.
Expectation
Keep all dependencies up to date for performance and security reasons.
Implementation
Remove unused packages if we have some
Implement automation around package update using Dependabot or Renovate (or build a custom GitHub Action)
Following with Security WG to keep up to date the deps
Do we want to have automatic security update with auto-merge and auto-publish (if all tests are good)
Status
Part: Organization
Draft
The text was updated successfully, but these errors were encountered: