add npm-audit-fix workflow

[aheev]

• Runs every monday
• raise a PR only if there are >= high vulnerabilities

[aheev]

@adsharma could you PTAL?

[adsharma]

https://github.com/ybiquitous/npm-audit-fix-action is another possibility. Search tells me they're popular, around for many years. But another dependency.

Have you looked into why this is significant enough to have a dedicated action in the marketplace?

[aheev]

https://github.com/ybiquitous/npm-audit-fix-action is another possibility. Search tells me they're popular, around for many years. But another dependency.

Have you looked into why this is significant enough to have a dedicated action in the marketplace?

I have encountered these actions initially, but lost during revisions. Curious, why can't we use Dependabot for the same?

If we want more fine-grained control, we can use renovate too

[adsharma]

Agree - dependabot is a better option because it leaves a PR based audit trail. The other actions on marketplace are there for further automation and less PR noise (there is a lot of it in the nodejs world).

[aheev]

Agree - dependabot is a better option because it leaves a PR based audit trail. The other actions on marketplace are there for further automation and less PR noise (there is a lot of it in the nodejs world).

is the dependabot auto fix enabled already?

[adsharma]

I toggled these two:

• Dependabot security updates
• Grouped security updates

from disabled -> enabled.

Let's give it a day or two to test and then close this PR?

[aheev]

I toggled these two:

• Dependabot security updates
• Grouped security updates

from disabled -> enabled.

Let's give it a day or two to test and then close this PR?

LGTM

[aheev]

Also I am enabling

I toggled these two:

• Dependabot security updates
• Grouped security updates

from disabled -> enabled.

Let's give it a day or two to test and then close this PR?

should I apply the same on api-server repo?

[adsharma]

api-server also has the same settings now.