Dependabot only upgrading Parse Server

[mtrezza]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest versions of Parse Server and the Parse JS SDK.

Issue Description

Dependabot is only upgrading Parse Server due to a config file added to fix an issue described in #1546. The side effect is that the config disabled security upgrades of all other dependencies. This isn't a major issue since Snyk is also opening PRs for security issues. But since dependabot sometimes opens a PR for an issue that Snyk didn't detect yet, it reduces the overall security coverage.

The challenge is to figure out how to upgrade parse server with every commit (which the current config file does) while also allowing upgrades for all other repos.

Steps to reproduce

Dependabot didn't open security patches in this repo anymore as reported in #1525 (comment).

Actual Outcome

n/a

Expected Outcome

n/a

Environment

n/a

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.

[dplewis]

Running npm outdated on the repo shows that a lot of our packages are out of date. Dependabot or Snyx should open PR's for those not just security patches. I would love for Jasmine 4.5.0 to run against our test suites.

[mtrezza]

They did / should open PRs, for example #1524. The reason could be that these bots only open a limited number of PRs. If there are open, unmerged PRs they may stop new PRs being opened. That's why after closing or merging a PR almost immediately we see a new one being opened sometimes.

[dplewis]

If we close those old PRs would new PRs open. Lets try it out

[mtrezza]

I've closed the old ones, Snyk settings look normal, checked 7 hours ago.

I'll try to re-add the project in Snyk, maybe it's checking a wrong branch because it doesn't find any issues.

[mtrezza]

Reimported the repo in Snyk; the dependencies are detected correctly. It doesn't show any vulnerabilities in the dependencies:

The repo uses the org setting which has update out-of-date dependencies enabled:

[mtrezza]

@dplewis responding to your #1678 (comment):

Reading the docs I assumed that all means only direct dependencies for npm. The docs also say:

Use the allow option to customize which dependencies are updated. This applies to both version and security updates.

So it seems to not be possible to differentiate between "security" and "outdated" upgrades. Maybe let's observe this a bit more. There are no new dependabot PRs being opened, so maybe it was just an initial flood of PRs.

[parseplatformorg]

🎉 This change has been released in version 4.0.0-alpha.7