Proposal: triage Dependabot updates

[lucasgonze]

Problem

Dependabot alerts are up to 300, from 23 about a year ago.

By severity:

Solution

I will work through all alerts for necessary security patches:

1. Merge any pull requests that don't break the build or any test
2. Identify and dismiss false positives
3. Implement upstream patches when feasible
4. Analyze dependency paths to CVEs and manually update packages as necessary

Non-goals

This work excludes patching Magma source code. In places where an upgrade requires changes to, for example, React code, that is out of scope.

Work beyond 6-8 weeks.

Bid

I estimate this work will take 6-8 weeks. I am asking for $6,000 to perform it.

Note that I am submitting this bid as the first party, under my own name, and not via OSPOCO.

Acceptance:

• No upgrades at severity Critical (15) or High (88) will be untriaged. I will either merge a PR, create a PR, or write a ticket when further engineering is needed.
• All items at severity Moderate (181) will be reviewed. They will be dismissed when irrelevant, merged when no test is broken, manually upgraded when possible. When none of the above is possible, I will document the reasons for discussion with the TSC.
• No items at severity Low (16) will be left.

[lucasgonze]

TSC conversation notes:

1. Ubuntu will need an upgrade to 22.0.4, and that will likely cause churn in the open alerts.
2. Not ready for a vote on acceptance yet - bring up again next week w/ TSC.

[lucasgonze]

TSC conversation notes:

The work may be much larger than documented here. How to package it as a proposal?

• Identify trivial items
• Click the button on trivial items
• Document non-trivial items

Continue discussion offline and next week.

[lucasgonze]

Alternate way to package this up: leave no critical or high severity upgrades behind. Every one should have been researched and routed, with trivial work done and non-trivial work in the engineering pipeline.