re: Automate NPM packages security fixes with recurring tasks on CI VIEW POST

re: dependabot is not free for org github accounts. Having npm audit as a part of test suite cause unpredictable behaviour, since usually you also run...

(1) Not true (for open source that is).

(2) Right, absolutely agreed. We have a grace period depending on severity for that reason

My preference is to have a failure and know about the security problem if it's severe. This should not be a problem if everything else in your pipeline is handled appropriately

code of conduct - report abuse