Infra: Run dependabot daily for gradle, npm and docker #1364
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Is there anything you'd like reviewers to focus on?
Dependencies such as Spring are highly susceptible to CVEs, so it’s important to promptly receive and merge fixes when vulnerabilities are identified. For example #1354 needed manual intervention due to this same Dependabot timing
Theoretically, Dependabot Security updates(if enabled) should be able to handle security upgrades off-the schedule. However, that heavily depends on a vetted CVE and the corresponding Dependabot alert. For new CVEs where the alert does not exist yet, this may add 2-3 days of latency
Currently, the number of Dependabot pull requests is low because of our grouping configuration, so increasing its run frequency should not create extra noise for maintainers.
I excluded GitHub actions because weekly should be fine for that ecosystem given that the CVE pressure there is low
How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)
Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)
A picture of a cute animal (not mandatory but encouraged)