Q2 Dependabot application dependency updates

[nathankota]

Benefit Hypothesis

UGRC applications have dependencies that are constantly updating to add new features, improve performance, and patch security issues. Keeping applications current with dependencies improves our security posture and allows for easier future enhancements since the amount of breaking changes is smaller and more trivial.

Acceptance Criteria

UGRC application dependencies are current and all known CVE's are patched.

[nathankota]

Sprint 1 Tasks

• Investigate and implement some Dependabot groups

• Dependabot updates

• Sort out Google Analytics

• make git checkout quiet with

   with:
      show-progress: false

• Trusted publishers for PyPi

Bump to next quarter

• Consider https://github.com/step-security/harden-runner this quarter or another

[steveoh]

Sprint 1 Notes

Scott and Steve have completed 99% of this quarters dependabot updates. Below are some tasks that we have to close out the objective and some we want to push to the next quarter.

Remaining tasks

• API Client build needs to be investigated
• Parole needs code changes
• Address point editor needs updates but we aren’t sure where to invest time
• Jake hasn't started his python projects
• Revisit the reactfire npm conflicts
• Some action workflows are not completing since their required checks aren’t running

Next quarter

• Forklift arcpy + warehouse updates we'd like to push for next quarter
• Push swapper to pypi and automate builds Pypi swapper#19

[nathankota]

will move unchecked tasks and new ones to a Q3 feature