How to keep all versions of npm packages etc. updated?

[traveller195]

Hello,
this here is a question from one of our administrators at IOER Dresden and me. And also refers to the discussion #841

The questions is how is the current workflow of updating and upgrading package versions of the colouring-core, to avoid security vulnerabilities and outdated code.

we, as the host of the future Colouring Dresden platform take care about the versions of Ubuntu 20.0x LTS, postgres and PostGIS extension e.g.

then, in colouring-core we use npm and its package.json to define within which major version it will be automatically keep updated for each deployed production built. But in comparison of the colouring-london version from about August in 2022 with the colouring-core version of February 2023, I could not find any changes within the used npm packages and its defined version in the package.json in a period of about half a year.
The question is (also to learn about how to do it) how often the used npm packages will be checked manually? I could imagine, that it is only important if there are any changes in the usage of the npm packages (e.g. adding a new package and check, how the dependencies are)?
Who is when deciding to use a new major version? etc.
Who is updating versions if there are any publicly known vulnerabilities in those packages?

Maybe you have some input for me. This question is to learn about this way. Not because there is an urgent problem (maybe I have an specific issue later, but first I will do some more checks on it)

Please decide yourself, if it would be better to discuss those security issues not here.

best and thanks in advance

[matkoniecz]

See #988

If you (or any other person reading this) can update to a new version of dependencies, test that things still work and submit a PR - that would be appreciated!

Things are made worse by upstream design issues partially described in https://overreacted.io/npm-audit-broken-by-design/ and also ReDOS being typically over-classified in importance as a security issue.