Merge pull request #1519 from maester365/Dependency-Management

Bump Node.js to 22.12 across the project and add better dependency management.

Author: SamErde

.devcontainer/devcontainer.json

@@ -2,7 +2,7 @@
 // README for image at: https://github.com/devcontainers/templates/tree/main/src/javascript-node
 {
 	"name": "Maester",
-	"image": "mcr.microsoft.com/devcontainers/javascript-node:1-20-bullseye",
+	"image": "mcr.microsoft.com/devcontainers/javascript-node:1-22.12-bookworm",
 	"features": {
 		"ghcr.io/devcontainers/features/powershell:2": {
 			"modules": "Microsoft.Graph.Authentication, Pester, PSFramework, PSModuleDevelopment, PSScriptAnalyzer"

.github/dependabot.yml

@@ -4,17 +4,86 @@
 
 version: 2
 updates:
+
   - package-ecosystem: "devcontainers"
     directory: "/"
     schedule:
       interval: weekly
     open-pull-requests-limit: 10
     commit-message:
       prefix: "chore(deps): "
+
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     open-pull-requests-limit: 10
     commit-message:
-      prefix: "chore(deps): "
+      prefix: "chore(deps): "
+
+  - package-ecosystem: "npm"
+    directory: "/website"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(deps): "
+    groups:
+      docusaurus:
+        patterns:
+          - "@docusaurus/*"
+      icons:
+        patterns:
+          - "@fortawesome/*"
+          - "@iconify/*"
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+        exclude-patterns:
+          - "@docusaurus/*"
+          - "@fortawesome/*"
+          - "@iconify/*"
+          - "react"
+          - "react-dom"
+
+  - package-ecosystem: "npm"
+    directory: "/report"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+    commit-message:
+      prefix: "chore(deps): "
+    groups:
+      ui-components:
+        patterns:
+          - "@radix-ui/*"
+          - "@headlessui/*"
+          - "@tremor/*"
+      icons:
+        patterns:
+          - "@heroicons/*"
+          - "@remixicon/*"
+          - "lucide-react"
+      typescript-tooling:
+        patterns:
+          - "typescript"
+          - "@types/*"
+          - "eslint"
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+        exclude-patterns:
+          - "@radix-ui/*"
+          - "@headlessui/*"
+          - "@tremor/*"
+          - "@heroicons/*"
+          - "@remixicon/*"
+          - "lucide-react"
+          - "typescript"
+          - "@types/*"
+          - "eslint"
+          - "react"
+          - "react-dom"
+          - "react-router-dom"

.github/workflows/build-report.yaml

@@ -32,7 +32,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "20"
+          node-version: "22.12.x"
           cache: "npm"
           cache-dependency-path: report/package-lock.json
 
@@ -41,6 +41,11 @@ jobs:
           cd report
           npm ci
 
+      - name: Audit dependencies
+        run: |
+          cd report
+          npm audit --audit-level=high
+
       - name: Build report
         run: |
           cd report

.github/workflows/dependency-review.yaml

@@ -0,0 +1,26 @@
+name: dependency-review
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths:
+      - "website/package.json"
+      - "website/package-lock.json"
+      - "report/package.json"
+      - "report/package-lock.json"
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+        with:
+          fail-on-severity: high

.github/workflows/publish-versioned-docs.yml

@@ -36,7 +36,7 @@ jobs:
       - name: ⚙️ Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 22.12.x
           cache: 'npm'
           cache-dependency-path: website/package-lock.json
 

.nvmrc

@@ -0,0 +1 @@
+22.12.0

report/README.md

@@ -18,15 +18,15 @@ It uses vite-plugin-singlefile to generate a single HTML file which will be used
 
 Open terminal window and navigate to /report folder and run the following command to install all dependencies:
 
-```
+```shell
 npm install
 ```
 
 ### Development
 
 To start the development server, run the following command:
 
-```
+```shell
 npm run dev
 ```
 
@@ -36,15 +36,17 @@ Once you are done with making updates to the report, you can build the project t
 
 To build the project, run the following command:
 
-```
+```shell
 npm run build
 ```
 
 - This will generate the report.html file in the /dist folder.
 - Copy it to the /powershell/assets folder and rename it to ReportTemplate.html (overwrite the existing file).
+
 ```powershell
 Copy-Item ./dist/index.html ../powershell/assets/ReportTemplate.html -Force
 ```
+
 - Now PowerShell will package and use the new report template.
 
 ### Updating the sample data in the report

report/package-lock.json

@@ -45,6 +45,6 @@
     "vite-plugin-singlefile": "^2.3.0"
   },
   "engines": {
-    "node": ">=20.0"
+    "node": ">=22.12"
   }
 }