Add dependabot feature#134
Open
vwinland wants to merge 304 commits into
Open
Conversation
Bumps [uv](https://github.com/astral-sh/uv) from 0.5.4 to 0.11.6. - [Release notes](https://github.com/astral-sh/uv/releases) - [Changelog](https://github.com/astral-sh/uv/blob/main/CHANGELOG.md) - [Commits](astral-sh/uv@0.5.4...0.11.6) --- updated-dependencies: - dependency-name: uv dependency-version: 0.11.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/langchain-text-splitters-1.1.2 Bump langchain-text-splitters from 0.3.2 to 1.1.2 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/modelcontextprotocol/sdk-1.26.0 Bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
Bumps [ip-address](https://github.com/beaugunderson/ip-address) and [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit). These dependencies needed to be updated together. Updates `ip-address` from 10.1.0 to 10.2.0 - [Commits](https://github.com/beaugunderson/ip-address/commits) Updates `express-rate-limit` from 8.5.0 to 8.5.1 - [Release notes](https://github.com/express-rate-limit/express-rate-limit/releases) - [Commits](express-rate-limit/express-rate-limit@v8.5.0...v8.5.1) --- updated-dependencies: - dependency-name: ip-address dependency-version: 10.2.0 dependency-type: indirect - dependency-name: express-rate-limit dependency-version: 8.5.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [mako](https://github.com/sqlalchemy/mako) from 1.3.6 to 1.3.12. - [Release notes](https://github.com/sqlalchemy/mako/releases) - [Changelog](https://github.com/sqlalchemy/mako/blob/main/CHANGES) - [Commits](https://github.com/sqlalchemy/mako/commits) --- updated-dependencies: - dependency-name: mako dependency-version: 1.3.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.20 to 0.0.27. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.20...0.0.27) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.27 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/python-dotenv-1.2.2 Bump python-dotenv from 1.0.1 to 1.2.2 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/litellm-1.83.7 Bump litellm from 1.52.12 to 1.83.7 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/13-full-stack-applications/silly_story_time/yaml-1.10.3 Bump yaml from 1.10.2 to 1.10.3 in /tutorials/13-full-stack-applications/silly_story_time
…-agent-systems/acp_tutorial/beeai_agent_server/python-multipart-0.0.27 Bump python-multipart from 0.0.20 to 0.0.27 in /tutorials/03-multi-agent-systems/acp_tutorial/beeai_agent_server
…-agent-systems/my_retail_advisor/uv-0.11.6 Bump uv from 0.5.4 to 0.11.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
…s/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/multi-7bdfbe8666 Bump ip-address and express-rate-limit in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.0 to 2.12.0. - [Release notes](https://github.com/jpadilla/pyjwt/releases) - [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst) - [Commits](jpadilla/pyjwt@2.10.0...2.12.0) --- updated-dependencies: - dependency-name: pyjwt dependency-version: 2.12.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [orjson](https://github.com/ijl/orjson) from 3.10.11 to 3.11.6. - [Release notes](https://github.com/ijl/orjson/releases) - [Changelog](https://github.com/ijl/orjson/blob/master/CHANGELOG.md) - [Commits](ijl/orjson@3.10.11...3.11.6) --- updated-dependencies: - dependency-name: orjson dependency-version: 3.11.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pyasn1](https://github.com/pyasn1/pyasn1) from 0.6.1 to 0.6.3. - [Release notes](https://github.com/pyasn1/pyasn1/releases) - [Changelog](https://github.com/pyasn1/pyasn1/blob/main/CHANGES.rst) - [Commits](pyasn1/pyasn1@v0.6.1...v0.6.3) --- updated-dependencies: - dependency-name: pyasn1 dependency-version: 0.6.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [cryptography](https://github.com/pyca/cryptography) from 43.0.3 to 46.0.7. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@43.0.3...46.0.7) --- updated-dependencies: - dependency-name: cryptography dependency-version: 46.0.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [requests](https://github.com/psf/requests) from 2.32.3 to 2.33.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.32.3...v2.33.0) --- updated-dependencies: - dependency-name: requests dependency-version: 2.33.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pygments](https://github.com/pygments/pygments) from 2.18.0 to 2.20.0. - [Release notes](https://github.com/pygments/pygments/releases) - [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES) - [Commits](pygments/pygments@2.18.0...2.20.0) --- updated-dependencies: - dependency-name: pygments dependency-version: 2.20.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/multiagent-collab-cs-call-center-analysis/mako-1.3.12 Bump mako from 1.3.6 to 1.3.12 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…-agent-systems/my_retail_advisor/pyjwt-2.12.0 Bump pyjwt from 2.10.0 to 2.12.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/orjson-3.11.6 Bump orjson from 3.10.11 to 3.11.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/pyasn1-0.6.3 Bump pyasn1 from 0.6.1 to 0.6.3 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/cryptography-46.0.7 Bump cryptography from 43.0.3 to 46.0.7 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/requests-2.33.0 Bump requests from 2.32.3 to 2.33.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [protobuf](https://github.com/protocolbuffers/protobuf) from 5.28.3 to 5.29.6. - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) --- updated-dependencies: - dependency-name: protobuf dependency-version: 5.29.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…-agent-systems/my_retail_advisor/pygments-2.20.0 Bump pygments from 2.18.0 to 2.20.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…-agent-systems/my_retail_advisor/protobuf-5.29.6 Bump protobuf from 5.28.3 to 5.29.6 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [python-dotenv](https://github.com/theskumar/python-dotenv) from 1.0.1 to 1.2.2. - [Release notes](https://github.com/theskumar/python-dotenv/releases) - [Changelog](https://github.com/theskumar/python-dotenv/blob/main/CHANGELOG.md) - [Commits](theskumar/python-dotenv@v1.0.1...v1.2.2) --- updated-dependencies: - dependency-name: python-dotenv dependency-version: 1.2.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langchain-openai](https://github.com/langchain-ai/langchain) from 0.2.9 to 1.1.14. - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain-openai==0.2.9...langchain-openai==1.1.14) --- updated-dependencies: - dependency-name: langchain-openai dependency-version: 1.1.14 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [filelock](https://github.com/tox-dev/py-filelock) from 3.16.1 to 3.20.3. - [Release notes](https://github.com/tox-dev/py-filelock/releases) - [Changelog](https://github.com/tox-dev/filelock/blob/main/docs/changelog.rst) - [Commits](tox-dev/filelock@3.16.1...3.20.3) --- updated-dependencies: - dependency-name: filelock dependency-version: 3.20.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [python-multipart](https://github.com/Kludex/python-multipart) from 0.0.27 to 0.0.31. - [Release notes](https://github.com/Kludex/python-multipart/releases) - [Changelog](https://github.com/Kludex/python-multipart/blob/main/CHANGELOG.md) - [Commits](Kludex/python-multipart@0.0.27...0.0.31) --- updated-dependencies: - dependency-name: python-multipart dependency-version: 0.0.31 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [hono](https://github.com/honojs/hono) from 4.12.23 to 4.12.25. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.23...v4.12.25) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.25 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langchain](https://github.com/langchain-ai/langchain) from 1.2.17 to 1.3.9. - [Release notes](https://github.com/langchain-ai/langchain/releases) - [Commits](langchain-ai/langchain@langchain==1.2.17...langchain==1.3.9) --- updated-dependencies: - dependency-name: langchain dependency-version: 1.3.9 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [form-data](https://github.com/form-data/form-data) from 4.0.5 to 4.0.6. - [Release notes](https://github.com/form-data/form-data/releases) - [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md) - [Commits](form-data/form-data@v4.0.5...v4.0.6) --- updated-dependencies: - dependency-name: form-data dependency-version: 4.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.12.0 to 6.13.3. - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@6.12.0...6.13.3) --- updated-dependencies: - dependency-name: pypdf dependency-version: 6.13.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…i-agent-systems/my_retail_advisor/pypdf-6.13.3 chore(deps): bump pypdf from 6.12.0 to 6.13.3 in /tutorials/03-multi-agent-systems/my_retail_advisor
…ls/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/form-data-4.0.6 chore(deps): bump form-data from 4.0.5 to 4.0.6 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
…i-agent-systems/my_retail_advisor/langchain-1.3.9 chore(deps): bump langchain from 1.2.17 to 1.3.9 in /tutorials/03-multi-agent-systems/my_retail_advisor
…ls/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server/hono-4.12.25 chore(deps): bump hono from 4.12.23 to 4.12.25 in /tutorials/16-ibm-bob/mcp-server-integration-ibm-bob/arxiv-server
…i-agent-systems/acp_tutorial/crewai_agent_server/python-multipart-0.0.31 chore(deps): bump python-multipart from 0.0.27 to 0.0.31 in /tutorials/03-multi-agent-systems/acp_tutorial/crewai_agent_server
…i-agent-systems/multiagent-collab-cs-call-center-analysis/pyjwt-2.13.0 chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…i-agent-systems/acp_tutorial/crewai_agent_server/pyjwt-2.13.0 chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/acp_tutorial/crewai_agent_server
Bumps [starlette](https://github.com/Kludex/starlette) from 1.0.1 to 1.3.1. - [Release notes](https://github.com/Kludex/starlette/releases) - [Changelog](https://github.com/Kludex/starlette/blob/main/docs/release-notes.md) - [Commits](Kludex/starlette@1.0.1...1.3.1) --- updated-dependencies: - dependency-name: starlette dependency-version: 1.3.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…i-agent-systems/my_retail_advisor/pyjwt-2.13.0 chore(deps): bump pyjwt from 2.12.0 to 2.13.0 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/my_retail_advisor/starlette-1.3.1 chore(deps): bump starlette from 1.0.1 to 1.3.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.7 to 48.0.1. - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@46.0.7...48.0.1) --- updated-dependencies: - dependency-name: cryptography dependency-version: 48.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
--- updated-dependencies: - dependency-name: aiohttp dependency-version: 3.14.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.2 to 0.8.18. - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.8.2...v0.8.18) --- updated-dependencies: - dependency-name: langsmith dependency-version: 0.8.18 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [langsmith](https://github.com/langchain-ai/langsmith-sdk) from 0.8.1 to 0.8.18. - [Release notes](https://github.com/langchain-ai/langsmith-sdk/releases) - [Commits](langchain-ai/langsmith-sdk@v0.8.1...v0.8.18) --- updated-dependencies: - dependency-name: langsmith dependency-version: 0.8.18 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v6...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the npm-dependencies group in /tutorials/13-full-stack-applications/silly_story_time with 1 update: [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Updates `typescript-eslint` from 8.61.0 to 8.61.1 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.61.1/packages/typescript-eslint) --- updated-dependencies: - dependency-name: typescript-eslint dependency-version: 8.61.1 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
…ls/13-full-stack-applications/silly_story_time/npm-dependencies-fa15ee3bad chore(deps-dev): bump typescript-eslint from 8.61.0 to 8.61.1 in /tutorials/13-full-stack-applications/silly_story_time in the npm-dependencies group
…ns/checkout-7 chore(deps): bump actions/checkout from 6 to 7
…i-agent-systems/my_retail_advisor/langsmith-0.8.18 chore(deps): bump langsmith from 0.8.1 to 0.8.18 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/multiagent-collab-cs-call-center-analysis/langsmith-0.8.18 chore(deps): bump langsmith from 0.8.2 to 0.8.18 in /tutorials/03-multi-agent-systems/multiagent-collab-cs-call-center-analysis
…i-agent-systems/my_retail_advisor/aiohttp-3.14.1 chore(deps): bump aiohttp from 3.14.0 to 3.14.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
…i-agent-systems/my_retail_advisor/cryptography-48.0.1 chore(deps): bump cryptography from 46.0.7 to 48.0.1 in /tutorials/03-multi-agent-systems/my_retail_advisor
The dependabot-bob-files directory contains personal reference materials and manager guides that are not part of the core security implementation. These files will be kept locally for reference but not included in the PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Comprehensive Security Automation Framework
Summary
This PR implements a complete security automation framework for the ibmdotcom-tutorials repository, providing automated dependency management, security scanning, and efficient PR review workflows optimized for educational content.
Important: What's Included in This PR
For full transparency, this PR contains two components:
1. Security Framework (Core Implementation)
2. Dependency Updates (~300 commits)
What This Adds
1. Automated Security Workflows (5 workflows)
Dependabot Auto-Approve (
.github/workflows/dependabot-auto-approve.yml)Dependency Review (
.github/workflows/dependency-review.yml)CodeQL Security Analysis (
.github/workflows/codeql-analysis.yml)Python Security Scan (
.github/workflows/python-security.yml)Secret Scanning (
.github/workflows/secret-scan.yml)2. Dependabot Configuration
File:
.github/dependabot.ymlMonitors dependencies across:
Features:
3. Security Documentation
SECURITY.md
Enhanced Implementation Guide (
tutorials/security-implementation-guide-enhanced.md)4. Updated Contributing Guidelines
CONTRIBUTING.md
5. Secret Scanning Baseline
.secrets.baseline🔄 How It Works with Two-Reviewer Requirement
The repository requires 2 approving reviews. Here's how the framework handles this:
For Patch/Minor Updates (80% of PRs)
For Major Updates (20% of PRs)
Security Considerations
What This Protects Against
✅ Vulnerable dependencies (automatic detection and updates)
✅ Hardcoded secrets (prevented from being committed)
✅ Code vulnerabilities (SQL injection, XSS, etc.)
✅ Outdated dependencies (weekly checks)
✅ License compliance issues (automatic review)
What Still Requires Human Review
Industry Alignment
This approach follows best practices from:
📚 Documentation Provided
✅ Testing Performed
Files Changed
New Files
.github/dependabot.yml- Dependabot configuration.github/workflows/dependabot-auto-approve.yml- Auto-approval workflow.github/workflows/dependency-review.yml- Dependency review workflow.github/workflows/codeql-analysis.yml- CodeQL security analysis.github/workflows/python-security.yml- Python security scanning.github/workflows/secret-scan.yml- Secret scanning workflowSECURITY.md- Security policy.secrets.baseline- Secret scanning baselineModified Files
CONTRIBUTING.md- Added security guidelines section