Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove npm audit from scaffolded posttest to fix CI builds #556

Merged
merged 2 commits into from
Oct 1, 2019
Merged

Remove npm audit from scaffolded posttest to fix CI builds #556

merged 2 commits into from
Oct 1, 2019

Conversation

bajtos
Copy link
Member

@bajtos bajtos commented Sep 30, 2019
edited
Loading

New applications are created with a dependency on loopback-component-explorer, which depends on swagger-ui@2 that's no longer maintained.

This version of swagger-ui has known security vulnerabilities which DO NOT apply to loopback-component-explorer, see the discussion in strongloop/loopback-component-explorer#263.

Unfortunately, there is no way how to tell npm to ignore them.

This commit removes npm audit from the posttest script, to let npm test pass and thus fix our failing CI builds.

Checklist

  • New tests added or existing tests modified to cover all changes
  • Code conforms with the style guide

@bajtos
test: always create package-lock during install
5b87f86 
Fix the code running `npm install` to always ask npm to create
a package-lock file, ignoring any environment-specific configuration.
This is needed to make `npm audit` work.

Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
@bajtos
Remove npm audit from scaffolded posttest
7c0fe28 
New applications are created with a dependency on
loopback-component-explorer, which depends on `swagger-ui@2`
that's no longer maintained.

This version of swagger-ui has known security vulnerabilities
which DO NOT apply to loopback-component-explorer. Unfortunately,
there is no way how to tell `npm` to ignore them.

This commit removes `npm audit` from the `posttest` script,
to let `npm test` pass and thus fix our failing CI builds.

Signed-off-by: Miroslav Bajtoš <mbajtoss@gmail.com>
@bajtos bajtos added the ci label Sep 30, 2019
@bajtos bajtos requested a review from a team September 30, 2019 12:24
@bajtos bajtos self-assigned this Sep 30, 2019
agnes512
agnes512 reviewed Sep 30, 2019
View reviewed changes
Copy link
Contributor

@agnes512 agnes512 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the vulnerabilities only from swagger-ui@2? Do we need to detect other vulnerabilities?

dhmlau
dhmlau approved these changes Sep 30, 2019
View reviewed changes
Copy link
Member

@dhmlau dhmlau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please squash the commits before merging. Thanks.

@bajtos
Copy link
Member Author

bajtos commented Sep 30, 2019

Are the vulnerabilities only from swagger-ui@2? Do we need to detect other vulnerabilities?

Yes, they are from swagger-ui@2 only. This may change in the future though 🤷‍♂

Historically, we were running nsp check as part of posttest script, the idea was to push LB app developers to deal with security of their dependencies.

Nowadays, npm prints warnings about security vulnerabilities whenever you run npm install, I feel that's good enough as far as our project template should be concerned.

@bajtos
Copy link
Member Author

bajtos commented Sep 30, 2019

Please squash the commits before merging.

I am intentionally keeping the change split into two commits. If we ever decide to revert this PR and start to run npm audit again, we want to revert only the second one, but keep the first.

@agnes512
Copy link
Contributor

I see. Thanks for the clarification.

@bajtos bajtos merged commit 74eaa43 into master Oct 1, 2019
@delete-merged-branch delete-merged-branch bot deleted the fix/ci branch October 1, 2019 06:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agnes512 agnes512 agnes512 approved these changes

@nabdelgadir nabdelgadir nabdelgadir approved these changes

@dhmlau dhmlau dhmlau approved these changes

@emonddr emonddr emonddr approved these changes

@rashmihunt rashmihunt Awaiting requested review from rashmihunt rashmihunt is a code owner

Assignees

@bajtos bajtos

Labels
ci
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bajtos @agnes512 @emonddr @dhmlau @nabdelgadir