-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CB-14145] npm audit in CI TEST WIP - DO NOT MERGE #30
Conversation
95743cc
to
3ff3260
Compare
49fdc46
to
2c6ee9e
Compare
2c6ee9e
to
4129091
Compare
Great idea 👍 I see one problem though. Builds might be broken by a PR that is not responsible for it. Just because a new security issue has been discovered in the meantime. So maybe we actually want something that pushes us for any issues. Greenkeeper, David DM or maybe auditing in our nightly builds. |
+1 (+100) I can take a look sometime next month, wouldn't mind if someone can look into these options more quickly. While I would agree with the concern that CI build may be broken by a PR that is not responsible for it, I would personally favor the idea that we resolve any |
Having given this a little more thought, my stance is that failing our CI tests on a failed audit would be a bad idea. The reasons being:
So I'd say: leave it out of our normal CI and use a dedicated service instead. Snyk seems to be made for this, the GitHub Security Alerts might work fine too. In both cases we have to see how compatible the workflow is with how INFRA works. PS: Even though not security focused, it might still be nice to have GreenKeeper. |
Having these vulnerabilities in |
Yes I am waiting for a review of apache/cordova-android#451. Also keep in mind that the Closing now. |
Platforms affected
All
What does this PR do?
npm audit
in Travis CIFUTURE TBD:
npm audit
in AppVeyor CINOTE: This is a TEST WIP PR, based on
2.1.x
, expected to fail withnpm audit
issue. This change is intended to be included in 2.2.x (for patch release) and master for next major release, to verify that anynpm audit
issues would be spotted and resolved in the future.What testing has been done on this change?
Check CI results from this PR
Checklist
Reported an issue in the JIRA databaseCommit message follows the format: "CB-3232: (android) Fix bug with resolving file paths", where CB-xxxx is the JIRA ID & "android" is the platform affected.Added automated test coverage as appropriate for this change.