From 67602fb279a8fea0b00225cbe8284fa1eb2d1df5 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 21:19:15 +0000 Subject: [PATCH] chore: replace Dependabot references with Renovate (#55) - SECURITY.md: update to mention Renovate instead of Dependabot - README.md: update supply chain table - ADR 003: update mitigation to mention Renovate Closes PRI-389. Parent PRI-387. Co-authored-by: Chris Farhood Co-authored-by: Paperclip --- README.md | 2 +- SECURITY.md | 2 +- docs/architecture/adr/003-client-side-crypto.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a5fed24..5fc0750 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ Plaintext values never leave your browser. | Network sniffing | No plaintext on network | ✅ Protected | | Compromised proxy | Only sees encrypted data | ✅ Protected | | Browser XSS | Headlamp CSP policies | ⚠️ Standard web security | -| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring | +| Supply chain | Package locks, Renovate | ⚠️ Ongoing monitoring | See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md) diff --git a/SECURITY.md b/SECURITY.md index e9e480c..338653c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -70,7 +70,7 @@ Key dependencies with security implications: - **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date. - **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation. -The project uses `npm audit` and Dependabot to monitor for known vulnerabilities. +The project uses `npm audit` and Renovate to monitor for known vulnerabilities. ## Contact diff --git a/docs/architecture/adr/003-client-side-crypto.md b/docs/architecture/adr/003-client-side-crypto.md index 994d017..a4978b0 100644 --- a/docs/architecture/adr/003-client-side-crypto.md +++ b/docs/architecture/adr/003-client-side-crypto.md @@ -349,7 +349,7 @@ Added type safety: **Supply Chain**: - Risk: Compromised node-forge dependency -- Mitigation: Package lock, dependabot, regular audits +- Mitigation: Package lock, Renovate, regular audits - Same risk as any JavaScript dependency **Browser Extensions**: