mirror of
https://github.com/ruvnet/RuVector.git
synced 2026-05-23 12:55:26 +00:00
7962366713
Mirrors the pattern landed on sublinear-time-solver#25:
1. dependency-review (PRs only, informational)
2. cargo-audit (RustSec advisory DB, vulnerabilities only)
3. cargo-deny (license/source/ban policy via deny.toml)
4. npm-audit (workspace npm/ at --audit-level=critical)
5. lockfile-integrity (cargo metadata --locked)
npm criticals cleared via package.json overrides:
- vm2: transitively dropped via @google-cloud/redis 5.x
- fast-xml-parser: >=5.7.0 (was <=5.6.0 vuln)
- protobufjs: >=7.5.6 (was <=7.5.5 vuln)
- @google-cloud/redis: >=5.0.0 (was <=3.3.0 vuln)
- handlebars: picked up >=4.7.9 via override resolution
Result: 73 vulns → 33 (3 crit → 0, 36 high → 19, 17 medium → 5).
19 highs remain (mostly devDep transitives + ML helpers) and are
tracked via the new dependabot.yml — Dependabot will chip away
weekly.
deny.toml ignore-list with re-review dates covers:
- RUSTSEC-2023-0071 rsa Marvin Attack (no patched version yet,
local-only signing for Kalshi API; re-review
2026-08-01)
- RUSTSEC-2026-0097 rand unsoundness (not triggerable in our
usage — no logging inside RNG draws)
- RUSTSEC-2026-0115/0116/0117 imageproc unsoundness (scipix
offline examples only, never published)
- 8 unmaintained advisories (paste, bincode, instant, rand_os,
proc-macro-error, rustls-pemfile, rusttype, number_prefix,
core2) — all transitive, no CVE, tracked for migration
Added BSL-1.0, CDLA-Permissive-2.0, NCSA licenses to allowlist
(present in transitive deps via xxhash-rust, tch-rs, LLVM family).
dependabot.yml schedules weekly Tuesday 09:35 UTC for cargo +
npm + github-actions ecosystems with patch+minor grouping.
Co-Authored-By: claude-flow <ruv@ruv.net>
74 lines
3.2 KiB
YAML
74 lines
3.2 KiB
YAML
version: 2
|
|
|
|
# Dependabot delivers dep updates as PRs that the supply-chain workflow
|
|
# (.github/workflows/supply-chain.yml) gates. Without this, security
|
|
# advisories disclosed against a transitive don't reach us until a
|
|
# human notices — Dependabot turns them into auditable PRs within hours.
|
|
#
|
|
# Each ecosystem gets its own schedule so the noise stays bounded.
|
|
# Larger workspace than sublinear-time-solver — bumped the per-eco
|
|
# open-PR caps slightly (10 cargo / 10 npm) so a noisy weekly run
|
|
# doesn't get truncated.
|
|
|
|
updates:
|
|
# ────────────────────────────────────────────────────────
|
|
# Rust — workspace root (covers ~136 member crates)
|
|
# ────────────────────────────────────────────────────────
|
|
- package-ecosystem: "cargo"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "tuesday" # matches supply-chain.yml scheduled scan
|
|
time: "09:35"
|
|
timezone: "Etc/UTC"
|
|
open-pull-requests-limit: 10
|
|
# Group patch + minor bumps so we don't drown in single-dep PRs;
|
|
# majors stay separate because they may carry breaking changes.
|
|
groups:
|
|
cargo-minor-patch:
|
|
update-types: ["minor", "patch"]
|
|
labels: ["dependencies", "rust"]
|
|
commit-message:
|
|
prefix: "chore(deps)"
|
|
include: "scope"
|
|
|
|
# ────────────────────────────────────────────────────────
|
|
# npm — workspace at /npm (58 publishable packages)
|
|
# ────────────────────────────────────────────────────────
|
|
- package-ecosystem: "npm"
|
|
directory: "/npm"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "tuesday"
|
|
time: "09:35"
|
|
timezone: "Etc/UTC"
|
|
open-pull-requests-limit: 10
|
|
groups:
|
|
npm-minor-patch:
|
|
update-types: ["minor", "patch"]
|
|
labels: ["dependencies", "npm"]
|
|
commit-message:
|
|
prefix: "chore(deps)"
|
|
include: "scope"
|
|
versioning-strategy: "increase-if-necessary"
|
|
# Production deps only — devDeps drift is much less interesting
|
|
# from a supply-chain standpoint (jest/eslint bumps don't ship
|
|
# to users).
|
|
ignore:
|
|
- dependency-name: "*"
|
|
dependency-type: "development"
|
|
|
|
# ────────────────────────────────────────────────────────
|
|
# GitHub Actions — uses statements in .github/workflows/
|
|
# ────────────────────────────────────────────────────────
|
|
- package-ecosystem: "github-actions"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "weekly"
|
|
day: "tuesday"
|
|
time: "09:35"
|
|
timezone: "Etc/UTC"
|
|
open-pull-requests-limit: 5
|
|
labels: ["dependencies", "github-actions"]
|
|
commit-message:
|
|
prefix: "chore(ci)"
|