A question about @dependabot and resolving dependency updates

[doeg]

Right now, there are ~20 PRs opened by dependabot to update various dependencies.

Further, npm audit shows a handful of issues to be addressed. (I don't really love npm audit as a marker for vulnerability severity, but some projects do take it seriously.)

58 vulnerabilities (3 low, 14 moderate, 31 high, 10 critical)

In the past, I've personally preferred to do module updates myself to ensure that nothing breaks, since semver is not always trustworthy. :) That said, it's a ton of work to do it manually and I do see the appeal of @dependabot.

@diasbruno do you have thoughts on how you like to deal with @dependabot pull requests and module updates in general? 🙏 This is definitely something that I'd be happy to help with.

[diasbruno]

It would be nice to merge, but at this point - and as we already have plans to upgrade the toolchain, better update everything at once.

I've made progress using esbuild. Just need to put the examples back to work and compile the minified versions.

After the toolchain upgrade, we can just merge every time dependabot opens a PR.