Wasp•14mo ago

Enable dependabot

Hi,

I would like to enable Github dependabot in my open-saas project. At the moment, it is failing due to the local dependency on "wasp" in the package.json file:
"wasp": "file:.wasp/out/sdk/wasp","

Is there any workaround to start using dependabot to identify security vulnerabilities? Thank you!

kapa.ai•11/18/24, 8:55 PM

Hi @Ramon. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

kapa.ai•11/18/24, 8:55 PM

----------------------
To address your question about enabling Dependabot with the local "wasp" dependency, I don't have enough specific information from the provided knowledge sources to give a definitive solution. However, I can offer some insights based on the available information:

The local "wasp" dependency is indeed part of Wasp's current structure. As mentioned in a GitHub issue comment (https://github.com/wasp-lang/wasp/issues/1429), Wasp uses a local package installation for its SDK:

   {
     "name": "my-project",
     "devDependencies": {
       "@wasp/auth": "file:./sdk/@wasp/auth"
     },
   }

   {
     "name": "my-project",
     "devDependencies": {
       "@wasp/auth": "file:./sdk/@wasp/auth"
     },
   }

This local dependency structure is intentional and part of Wasp's current design. It's used to manage Wasp's SDK and ensure that the correct version is used within your project.
Unfortunately, Dependabot typically struggles with local dependencies as it can't analyze or update them in the same way it does for remote dependencies.

While I don't have a direct solution for enabling Dependabot with this setup, you might consider:

Reaching out to the Wasp community or maintainers directly through their GitHub issues (https://github.com/wasp-lang/wasp/issues) or Discord channel (🙋questionsPulling new changes for OpenSaaS/Wasp while maintaining my own repository on GitHub) to ask about potential workarounds or future plans to address this limitation.
Monitoring Wasp's ongoing development, as they are working on restructuring to make configuring Wasp as an npm project easier, which might affect how dependencies are managed in the future. As mentioned in a GitHub comment (https://github.com/wasp-lang/wasp/issues/869), "we are working on restructuring that will make configuring it as a npm project easier, and that is heavily under way."

kapa.ai•11/18/24, 8:55 PM

In the meantime, you may need to manually monitor and update dependencies for your project, particularly those outside of the Wasp-managed packages.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------

kapa.ai•11/18/24, 8:55 PM

Sorry @Ramon, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:

Perhaps try again in 15mins?

miho•11/19/24, 9:14 AM

This is not really Wasp specific, but is there a way to ignore certain dependencies with the dependabot configuration?

Enable dependabot

Similar Threads

Similar Threads

Similar Threads