Summary
The `intercom-frontend` repo has a `.github/dependabot.yml` configured for daily npm dependency updates. The `intercom-manager` backend repo has no equivalent, meaning dependency vulnerabilities accumulate undetected until a manual `npm audit` is run.
Several backend devDependencies are already on older major versions (e.g. `@typescript-eslint/eslint-plugin@^5`, `eslint@^8`) which may have accumulated CVEs.
Recommendation
Add `.github/dependabot.yml` to `intercom-manager`:
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
ignore:
- dependency-name: "*"
update-types: ["version-update:semver-major"]
This mirrors the frontend configuration. Major version bumps can be handled manually to avoid unexpected breaking changes.
Context
Severity
Low — Process improvement; reduces future security debt.
Found by automated security audit.
Summary
The `intercom-frontend` repo has a `.github/dependabot.yml` configured for daily npm dependency updates. The `intercom-manager` backend repo has no equivalent, meaning dependency vulnerabilities accumulate undetected until a manual `npm audit` is run.
Several backend devDependencies are already on older major versions (e.g. `@typescript-eslint/eslint-plugin@^5`, `eslint@^8`) which may have accumulated CVEs.
Recommendation
Add `.github/dependabot.yml` to `intercom-manager`:
This mirrors the frontend configuration. Major version bumps can be handled manually to avoid unexpected breaking changes.
Context
Severity
Low — Process improvement; reduces future security debt.
Found by automated security audit.