We need a solution to keep us on top of required npm package updates.
Status Quo:
- LibraryUpgrader2 runs on most Gerrit repositories (but not on nested packages)
- https://libraryupgrader2.wmcloud.org/vulns/npm?branch=master
- There are no email notifications for this
- Dependabot runs for most of our Github repositories (but not for nested packages?)
- There is a daily job run on jenkins for WikibaseLexeme for `npm audit`
- This was added in https://gerrit.wikimedia.org/r/c/573235
- This is still running https://integration.wikimedia.org/ci/job/wikibase-daily-npm-audit-daily-node10-npmaudit-docker
Speculation around approach:
- During ticket polishing we discussed the fact that a calendar event could be enough? https://en.wikipedia.org/wiki/Patch_Tuesday
- Automation of simply running `npm audit` could also probably be achieved with jenkins and github actions with email notifications
>>! In T244001#6884044, @wiese wrote:
> FWIW lerna-audit now ([[ https://github.com/tnobody/lerna-audit/releases/tag/v1.3.1 | v1.3.1 ]]) does not show the problems anymore which we encountered earlier ([[ https://github.com/wmde/wikit/commit/1841b964cd635239f8b25f3f140ea8e20d751b36 | e.g. ]]) when using it to tend to monorepos.
**Acceptance criteria ⛺✨ :**
[] Have a clear path forward for having npm audit run on ALL of our package.json files regularly