Skip to content

Recurring NPM dependency upgrades based on Dependabot alerts

Created by: valerybugakov

Problem statement

Dependabot alerts about security issues in our NPM dependencies. We need to fix critical alerts as soon as possible regularly.

Success criteria

Dependabot alerts are monitored, and critical issues are fixed weekly. This issue should stay open on the board because it's a recurring task. Let's discuss the best way to integrate it into your billing system in Slack.

Implementation details

If the issues reported can be fixed in less than 4 hours — open a PR that fixes it. If work requires significant changes in the codebase — create a GitHub issue and start a discussion about it in Slack.

Time estimate

  • Pull requests with frontend lines changed should take 4 hours at maximum. Ping the reviewer in the spec pull request if time-consuming changes are required.
  • Split the work into multiple pull requests if the total diff is bigger than 450 lines of code.