Scheduled dependency updates

[rosemaryku]

Problem Description

To minimize security vulnerabilities, enabling Dependabot, Renovate or another alternative for scheduled dependency updates would be useful.

Since the package-lock.json file is not published, there's no way to verify dependencies have the upgraded.

Potential Solution

Enable Dependabot, Renovate or another alternative for scheduled dependency updates to enhance security and outdated dependencies.

Snyk is another option that can be considered as a developer security platform to help identify vulnerabilities in dependencies.

[silviuaavram]

Hey @rosemaryku! Thanks for the feedback! Actually, since we don't enforce any package-lock, you can add any version of those libraries, as long as they comply with the minimum right?

At the moment we are doing manual dependency updates, and up until now I did not receive any warning from Github related to security vulnerabilitiyes.