Managing the nested npm project for the cards component could benefit from additional CI. Right now we only have verification in place that the project can be built successfully, which was required to have some level of trust for Dependabot package upgrade suggestions.
Some ideas for possible improvements
Auditing packages
Dependabot is the main source for package version upgrades, but it should be considered whether these should be blindly trusted. At minimum, we could add npm audit as part of the PR checks when the changes touch the cards component
Build&Commit card changes
When changing any code in the Cards UI, or upgrading packages, this will not have any effect for the component itself unless the project is also built. Currently there is no CI present, instead the author needs to manually rebuild the assets as part of their PR.
This could be automated as well, with a step taking care or rebuilding the assets and adding a commit to the PR. Some security considerations might apply when implementing commit rights for an action.
Managing the nested npm project for the cards component could benefit from additional CI. Right now we only have verification in place that the project can be built successfully, which was required to have some level of trust for Dependabot package upgrade suggestions.
Some ideas for possible improvements
Auditing packages
Dependabot is the main source for package version upgrades, but it should be considered whether these should be blindly trusted. At minimum, we could add
npm auditas part of the PR checks when the changes touch the cards componentBuild&Commit card changes
When changing any code in the Cards UI, or upgrading packages, this will not have any effect for the component itself unless the project is also built. Currently there is no CI present, instead the author needs to manually rebuild the assets as part of their PR.
This could be automated as well, with a step taking care or rebuilding the assets and adding a commit to the PR. Some security considerations might apply when implementing commit rights for an action.