Merge pull request #269 from creative-commoners/pulls/master/yarn-groups

ENH Add instructions to check if depedency is dev or non-dev only
silverstripe · Jun 5, 2024 · 3f291dc · 3f291dc
2 parents cde9e9b + ccbad30
commit 3f291dc
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/.github/workflows/dependabot-prs-issue.yml b/.github/workflows/dependabot-prs-issue.yml
@@ -91,6 +91,8 @@ jobs:
             ### Dependabot pull-requests:\n
             See the [list of dependabot pull-requests](https://rhino.silverstripe.org/?t=open-prs&filters={%22author%22%3A%22dependabot%22}) in Rhino.\n
             - Make a quick determination as to whether the vulnerability fixed by the PR warrants using our security process\n
+              - You can check to see if the dependabot alert affects non-dev dependencies by running `yarn audit --groups dependencies` locally on default branch of the module.\n
+              - Use `yarn audit --groups devDependencies` to see dev-only dependencies.\n
             - Merge these PRs if there are no merge-conflicts and CI is green\n
             - If there are conflicts or CI isn't green, get dependabot to recreate the PR\n
             - If there are still problems, manually resolve them and open your own PR\n