# RP - Correction des vulnérabilités

**Runbook, Mai 2026. Workflow de correction des vulnérabilités de dépendances détectées par Dependabot.**

## Contexte

<span style="white-space: pre-wrap;">Les vulnérabilités sont détectées automatiquement par </span>****Dependabot****<span style="white-space: pre-wrap;"> et remontent chaque matin sur Slack. Ce document décrit la procédure complète de triage et correction, de l'alerte au merge.</span>

<p class="callout info"><span style="white-space: pre-wrap;">Dependabot est configuré en </span>****alerts only,****<span style="white-space: pre-wrap;"> il ne crée pas de Pull Requests automatiques. Les corrections sont appliquées manuellement selon ce workflow.</span></p>

---

### Convention de nommage

#### Branche Git

```
Format : security/<package>-patch-dep<N>-<N>

Exemples :
  security/phpspreadsheet-patch-dep5-9
  security/axios-patch-dep10-22
```

---

#### <span style="white-space: pre-wrap;">Trello - Ticket de suivi </span>

---

---

****Etiquette****: &lt;projet&gt;(RP) &lt;prioritaire&gt; &lt;sécurité&gt; et potentiellement &lt;Non testable PO&gt;.

****Titre****<span style="white-space: pre-wrap;"> : </span>

```
Format : Sécurité - Patch <package> <v.actuelle> → <v.cible> (dep N-N)

Exemples: 
  Securité - Patch phpspreadsheet 3.10.0 → 3.10.5 (dep #5-9) [1]
  Securité - Patch axios 1.15.0 to 1.16.0 (dep 10-22) [1]
```

****Description****<span style="white-space: pre-wrap;"> : liens vers les alertes de sécurité Dependabot</span>

```
Exemple:

Fixes Dependabot alerts 19-22

19 - https://github.com/re-connect/pro/security/dependabot/19
20 - https://github.com/re-connect/pro/security/dependabot/20
21 - https://github.com/re-connect/pro/security/dependabot/21
22 - https://github.com/re-connect/pro/security/dependabot/22
```

Et bien sur, powers-up git pour les branches et les PRs.

---

#### Pull Request

<span style="white-space: pre-wrap;">Toujours 2 PRs, une vers </span>`<span class="editor-theme-code">main</span>`<span style="white-space: pre-wrap;"> et une vers </span>`<span class="editor-theme-code">dev</span>`<span style="white-space: pre-wrap;"> et attribuer au PRs le label &lt;security&gt; pour une meilleur lisibilité.</span>

****Titre :****

```
Format: security(deps-<écosystème>): upgrade <package> <v.actuelle> to <v.cible>

Exemples: 
  security(deps-composer): upgrade phpspreadsheet 3.10.0 to 3.10.5
  security(deps-yarn): upgrade axios 1.15.0 to 1.16.0
```

****Description****<span style="white-space: pre-wrap;"> :</span>

```
Exemple:

Fixes Dependabot alerts 10-22
  22 - https://github.com/re-connect/pro/security/dependabot/22
  21 - https://github.com/re-connect/pro/security/dependabot/21
  20 - https://github.com/re-connect/pro/security/dependabot/20
  19 - https://github.com/re-connect/pro/security/dependabot/19
  18 - https://github.com/re-connect/pro/security/dependabot/18
  17 - https://github.com/re-connect/pro/security/dependabot/17
  16 - https://github.com/re-connect/pro/security/dependabot/16
  15 - https://github.com/re-connect/pro/security/dependabot/15 
  14 - https://github.com/re-connect/pro/security/dependabot/14
  13 - https://github.com/re-connect/pro/security/dependabot/13
  12 - https://github.com/re-connect/pro/security/dependabot/12
  11 - https://github.com/re-connect/pro/security/dependabot/11
  10 - https://github.com/re-connect/pro/security/dependabot/10

  Preview:
```

[![Capture d’écran 2026-05-07 à 13.26.49.png](https://ambroise.reconnect.fr/uploads/images/gallery/2026-05/scaled-1680-/capture-decran-2026-05-07-a-13-26-49.png)](https://ambroise.reconnect.fr/uploads/images/gallery/2026-05/scaled-1680-/capture-decran-2026-05-07-a-13-26-49.png)

---

## Procédure de triage

#### 1. Évaluer le saut de version

<table id="bkmrk-sautrisqueactionpatc"><colgroup><col></col><col></col><col></col></colgroup><tbody><tr><th>Saut

</th><th>Risque

</th><th>Action

</th></tr><tr><td><span style="white-space: pre-wrap;">patch </span>`<span class="editor-theme-code">x.y.Z</span>`

</td><td>Nul

</td><td>Update direct, pas de CHANGELOG à lire

</td></tr><tr><td><span style="white-space: pre-wrap;">minor </span>`<span class="editor-theme-code">x.Y.z</span>`

</td><td>Faible

</td><td>Lire le CHANGELOG, vérifier les releases notes

</td></tr><tr><td><span style="white-space: pre-wrap;">major </span>`<span class="editor-theme-code">X.y.z</span>`

</td><td>Élevé

</td><td>Lire le CHANGELOG, chercher une migration guide

</td></tr></tbody></table>

#### 2. Grouper les alertes

- <span style="white-space: pre-wrap;">Même package + même écosystème → </span>****un seul batch****
- <span style="white-space: pre-wrap;">Écosystèmes différents (npm / composer) → </span>****branches séparées****
- <span style="white-space: pre-wrap;">Breaking change dans le batch → </span>****commit séparé****<span style="white-space: pre-wrap;"> dans la même branche</span>

---

## Procédure de correction

### Composer

<details id="bkmrk-proc-composer"><summary>****Voir la procédure Composer****</summary>

  
1\. Vérifier la version installée :

`<span class="editor-theme-code">composer show phpoffice/phpspreadsheet | grep versions</span>`

<span style="white-space: pre-wrap;">2. S'assurer que </span>`<span class="editor-theme-code">composer.json</span>`<span style="white-space: pre-wrap;"> utilise </span>`<span class="editor-theme-code">^</span>`<span style="white-space: pre-wrap;"> et non une version exacte :</span>

`<span class="editor-theme-code">"phpoffice/phpspreadsheet": "^3.10"</span>`

3\. Mettre à jour le package :

`<span class="editor-theme-code">composer update phpoffice/phpspreadsheet</span>`

4\. Valider :

`<span class="editor-theme-code">composer validate</span>`

`<span class="editor-theme-code">composer audit</span>`

5\. Commiter :

`<span class="editor-theme-code">git add composer.json composer.lock</span>`

`<span class="editor-theme-code">git commit -m "🔒 security(deps-composer): upgrade <package> <v.actuelle> to <v.cible>"</span>`

</details>### npm / Yarn

<details id="bkmrk-proc-yarn"><summary>****Voir la procédure Yarn****</summary>

  
1\. Vérifier la version installée :

`<span class="editor-theme-code">yarn list axios</span>`

2\. Mettre à jour le package :

`<span class="editor-theme-code">yarn upgrade axios</span>`

3\. Valider :

`<span class="editor-theme-code">yarn audit</span>`

4\. Commiter :

`<span class="editor-theme-code">git add yarn.lock</span>`

`<span class="editor-theme-code">git commit -m "🔒 security(deps-npm): upgrade <package> <v.actuelle> to <v.cible>"</span>`

</details><p class="callout warning"><span style="white-space: pre-wrap;">Si </span>`<span class="editor-theme-code">yarn upgrade</span>`<span style="white-space: pre-wrap;"> monte en minor au lieu du patch indiqué par Dependabot, vérifier que la minor n'introduit pas de breaking change avant de commiter.</span></p>

---

## Checklist avant merge

- CI verte
- `<span class="editor-theme-code">composer audit</span>`<span style="white-space: pre-wrap;"> ou </span>`<span class="editor-theme-code">yarn audit</span>`<span style="white-space: pre-wrap;"> sans alerte bloquante</span>
- <span style="white-space: pre-wrap;">2 PRs ouvertes, </span>`<span class="editor-theme-code">main</span>`<span style="white-space: pre-wrap;"> + </span>`<span class="editor-theme-code">dev</span>`
- Alertes Dependabot fermées après merge