Multi Issue PR 20210524-1

.github/dependabot.yml

@@ -7,7 +7,18 @@ updates:
     directory: "/tdrs-frontend"
     schedule:
       interval: "daily"
+    target-branch: "raft-tdp-main"
+    labels:
+      - "dependencies"
+      - "frontend"
+      - "raft review"
+
   - package-ecosystem: "pip"
     directory: "/tdrs-backend"
     schedule:
       interval: "daily"
+    target-branch: "raft-tdp-main"
+    labels:
+      - "dependencies"
+      - "backend"
+      - "raft review"

docs/Architecture Decision Record/016-dependabot-dependency-management.md

@@ -0,0 +1,39 @@
+# 16. Migrating to Github Native Dependabot for TDP Dependency Management
+Date: 2021-05-14 (yyyy-mm-dd)
+
+## Status
+
+Approved
+
+## Context
+
+Currently our Snyk configuration is configured on the carltonsmith Snyk organization which will no longer work after @carltonsmith leaves the project.
+Additionally, these Snyk PRs require us to manage an unnecessary requirements.txt file in addition to our Pipfile and python dependency update PRs are not complete when they get opened since they don't update anything in our actual dependencies.
+
+Furthermore, we currently use the Dependabot Preview app which is being deprecated in favor of a GitHub Native Dependabot which has more features and is configured via a YAML file committed to the repo.
+
+## Proposed Decision
+Rather than setting up Snyk on a new organization and in order to get ahead on the impending Dependabot migration, We propose an update which provides the necessary YAML config to enable the new GitHub Native version of Dependabot.
+
+## Consequences
+
+To maintain our gitflow:
+
+* We need to explicitly disable automated PR updates on the HHS repo if it is not already, otherwise once this file gets merged in we will get Dependabot security-related PRs to both repos. This can be disabled in the security analysis settings as shown below:
+![disable-dependabot-security-updates](https://user-images.githubusercontent.com/22626085/118340020-8b744f80-b4e8-11eb-8bb1-eb851f074627.png)
+* We also need to specify a target_branch in the dependabot configuration file to prevent automated version-related PR updates from opening in the HHS repo.
+
+### Pros
+* Mitigate the need to manage unnecessary file for dependency management
+* Mitigate the need to manage multiple dependency management tools
+* Dependency management no longer contingent upon project user accounts.
+
+### Cons
+
+* (minor) The GitHub README status badges currently don't work for the GitHub Native Dependabot: [as noted in this open dependabot issue](https://github.com/dependabot/dependabot-core/issues/1912)
+
+### Notes
+
+Time estimate for development: n/a.
+
+[#917](https://github.com/raft-tech/TANF-app/pull/917) and [#932](https://github.com/raft-tech/TANF-app/pull/932) were created to support this migration and PR [#944](https://github.com/raft-tech/TANF-app/pull/944) completes this migration.

tdrs-frontend/package.json

@@ -65,8 +65,7 @@
   },
   "devDependencies": {
     "@testing-library/jest-dom": "^4.2.4",
-    "@testing-library/react": "^11.2.6",
-    "@testing-library/user-event": "^7.1.2",
+    "@testing-library/react": "^11.2.7",
     "concurrently": "^6.0.0",
     "cypress": "^4.12.0",
     "enzyme": "^3.11.0",

tdrs-frontend/yarn.lock

@@ -1828,19 +1828,14 @@
     pretty-format "^24.0.0"
     redent "^3.0.0"
 
-"@testing-library/react@^11.2.6":
-  version "11.2.6"
-  resolved "https://registry.yarnpkg.com/@testing-library/react/-/react-11.2.6.tgz#586a23adc63615985d85be0c903f374dab19200b"
-  integrity sha512-TXMCg0jT8xmuU8BkKMtp8l7Z50Ykew5WNX8UoIKTaLFwKkP2+1YDhOLA2Ga3wY4x29jyntk7EWfum0kjlYiSjQ==
+"@testing-library/react@^11.2.7":
+  version "11.2.7"
+  resolved "https://registry.yarnpkg.com/@testing-library/react/-/react-11.2.7.tgz#b29e2e95c6765c815786c0bc1d5aed9cb2bf7818"
+  integrity sha512-tzRNp7pzd5QmbtXNG/mhdcl7Awfu/Iz1RaVHY75zTdOkmHCuzMhRL83gWHSgOAcjS3CCbyfwUHMZgRJb4kAfpA==
   dependencies:
     "@babel/runtime" "^7.12.5"
     "@testing-library/dom" "^7.28.1"
 
-"@testing-library/user-event@^7.1.2":
-  version "7.2.1"
-  resolved "https://registry.yarnpkg.com/@testing-library/user-event/-/user-event-7.2.1.tgz#2ad4e844175a3738cb9e7064be5ea070b8863a1c"
-  integrity sha512-oZ0Ib5I4Z2pUEcoo95cT1cr6slco9WY7yiPpG+RGNkj8YcYgJnM7pXmYmorNOReh8MIGcKSqXyeGjxnr8YiZbA==
-
 "@tokenizer/token@^0.1.1":
   version "0.1.1"
   resolved "https://registry.yarnpkg.com/@tokenizer/token/-/token-0.1.1.tgz#f0d92c12f87079ddfd1b29f614758b9696bc29e3"