ci: add mkdocs
Python deps to dependabot security updates
#12612
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow-up to #12360 that added
docs/requirements.txt
(glad to have a proper dep file for that!)Motivation
mkdocs
has an XSS vuln or something that would impact the docs siteModifications
docs/
pip
section todependabot.yml
style: reorder dep sections
Verification
n/a, this can only be tested after updating
Notes to Reviewers
I was thinking about some of the NPM docs deps too, but those don't make it into prod, so I don't think they necessarily need to have security updates, but that wouldn't necessarily be bad practice to safeguard devDeps too.
Makefile
as well as in the Nix flakes.mkdocs
is technically also a devDep, but the code it produces goes into the prod docs site, per the "Motivation" section above. So ifmkdocs
itself has a vuln, not a big issue, but if its generated code has a vuln, potentially an issue. There's no real way to distinguish between those two scenarios though, unfortunately.