[
https://issues.apache.org/jira/browse/CB-14145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16517164#comment-16517164
]
ASF GitHub Bot commented on CB-14145:
-------------------------------------
raphinesse edited a comment on issue #30: [CB-14145] npm audit in CI TEST WIP -
DO NOT MERGE
URL: https://github.com/apache/cordova-common/pull/30#issuecomment-398418225
Having given this a little more thought, my stance is that **failing our CI
tests on a failed audit would be a bad idea**. The reasons being:
- We are basically polling for changes, and only so if someone files a PR or
commits to master. Thus:
- We are not notified ASAP
- PRs might seem to fail the tests when they did not actually cause the
problem
- Our tests might be stuck failing for some time without us being able to
fix it. Because:
- Either there's not a fix to the vulnerability yet
- Or the vulnerability is in a transitive dependency, while our direct
dependency (or someone in the chain) hasn't yet updated (Right now, `node-sass`
users might be able to relate)
So my stance is: leave it out of our normal CI and use a dedicated service
instead. Snyk seems to be made for this, the GitHub Security Alerts might work
fine too. In both cases we have to see how compatible the workflow is with how
INFRA works.
PS: Even though not security focused, it might still be nice to have
GreenKeeper.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Resolve npm audit issues
> ------------------------
>
> Key: CB-14145
> URL: https://issues.apache.org/jira/browse/CB-14145
> Project: Apache Cordova
> Issue Type: Bug
> Components: cordova-android, cordova-app-hello-world,
> cordova-browser, cordova-cli, cordova-coho, cordova-common, cordova-fetch,
> cordova-ios, cordova-js, cordova-lib, cordova-osx, cordova-windows
> Reporter: Chris Brody
> Assignee: Chris Brody
> Priority: Major
>
> From private discussions I discovered that running {{npm audit}} on a number
> of components would report dependencies with security issues. While we could
> not see any {{npm audit}} issues that may affect applications built using
> Cordova I think it is extremely important to resolve these issues as soon as
> possible. Most affect devDependencies used for testing of Cordova itself; a
> minority seem to affect Cordova scripts that may be run by Cordova
> application developers. Better safe than sorry!
> I would like to resolve this issue as follows:
> * patch release of common library components such as {{cordova-common}},
> {{cordova-lib}}, etc. (fixed in minor release branch)
> * patch or minor release of other affected components such as CLI, Cordova
> platform implementations, major plugins, etc. (expected to be fixed in minor
> release branch; do not want to pollute the master branch with extra reverts,
> updated node_modules committed, etc.)
> * {{npm audit}} issues resolved in master branch for next major release,
> which should NOT be shipped with any {{npm audit}} issues lurking
> * {{npm audit}} step added to CI for both patch release and next major release
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@cordova.apache.org
For additional commands, e-mail: issues-h...@cordova.apache.org
