Hello Everyone, TL;DR; I would like to ask if we want to enable Dependabot to make automated PRs updating our Javascript dependencies for the UI ?
Context: We've been discussing in the Apache Software Foundation whether it is OK from a legal/infrastructure point of view to use Dependabot to monitor and make Pull Requests automatically to update our dependencies. So far the policy of the ASF was that dependabot creating automated PRs is against the policies. Generally discussion was whether automated PR which creates branches directly in Airflow Repo automatically (not in a fork) is OK from the "contribution" perspective (according to ASF there should always be a human in the loop of the code contributed). After a long discussion and arguments https://issues.apache.org/jira/browse/LEGAL-589 (I took active part there advocating for a change) the conclusion is that using Dependabot is OK as long as you have protected branches - which makes it required for a human reviewer (commiter) to review such branch and merge it to the "protected" branch.. I think we cannot really use Dependabot for Airflow dependencies (it's not as sop[histicated as it comes to multiple versions of Python and constraints mechanism and we would have far too many PRs to handle if it is about our ~600 python dependencies. But I think it would be cool to enable it for our Javascript dependencies for the UI (we are following a very standard approach there with the usual yarn.lock so it should be easy to plug dependabot in. What we can get: Better supply-chain security in general, but we will get some traffic from automated PRs sent by the dependabot that we will have to handle, review, possibly test and approve. The result of it will be that we will get PRs about updated (and especially security related) dependencies as quickly as they happen and we will be able to see all the details of the security updates. Currently we (maintainers) only see alerts about those vulnerabilities, but with Dependabot security updates those will become automated PRs. Unlike the Python dependencies (which are automatically updated by our CI) we update our javascript irregularly in "bulk" - i.e. from time to time we will refresh the lock file and update to the latest dependencies. That has an advantage that we can likely test it in bulk. However my point of view is that making such updates more frequently is better because if we update dependency one-by-one, we will not even have to test it too much - as we will quickly see that the UI is broken during our regular development and then it will be easier to pin-point a culprit. As one of my favourite quotes goes "If an upgrade is painful, simply do it more often rather than less often - that makes it far less painful in general". More info about dependabot: https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories Example PR generated by Dependabot: https://github.com/PolideaInternal/airflow-gepard/pull/356 J.
