Dependabot automaticly scans the composer.json, composer.lock, package.json, and package-lock.json files to make sure packages are up to date. This document describes the process for reviewing and merging dependabot updates. Dependabot functionality is described on the Github documentation page
The package va-gov/content-build is the va.gov content build. This PR can be merged if all tests pass. No other work is needed.
Updates from packagist and npm with release notes will have collapsed secions containing the details release notes and commits.
Example PR: department-of-veterans-affairs#6069
Review the release notes and determine if manualy testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.
Most of the time the release notes will be automaticlly added. In the cases where they are not, go to packagist/npm/github and add links to the release notes.
Here is an example: department-of-veterans-affairs#5665
To find the release notes, first start with the packagist/npm package which will link to the source code repository. For the example above, phpmailer is found here: https://packagist.org/packages/phpmailer/phpmailer
Dependabot PRs created for Drupal packages will not have release notes or diff. These can be created manually using the following pattern:
Release Notes: (one link to each of the releases between current and suggested)
- https://www.drupal.org/project/<project>/releases/<release>
Diff: https://git.drupalcode.org/project/<project>/-/compare/<current_release>...<suggested_release>
Example: department-of-veterans-affairs#5651
Blazy module updating from version 8.x-2.2 to 8.x-2.4
Release Notes:
* https://www.drupal.org/project/blazy/releases/8.x-2.4
* https://www.drupal.org/project/blazy/releases/8.x-2.3
Diff: https://git.drupalcode.org/project/blazy/-/compare/8.x-2.2...8.x-2.4?from_project_id=59405
Review the release notes and determine if manualy testing is required. Most of the time if all tests pass then the PR can be merged but this is a case by case basis. If you have any questions please reach out to your tech lead.
It's also useful to review the code diff to look for any API/method changes and see if we use any of the changed code.