Lock versions of the dependencies

[ematipico]

Due to the recent problems happened to the npm world, I'd propose to lock all the versions of our dependencies and development dependencies

It's not a bulletproof solution must at least it's something

Before:

"chalk": "^2.4.1" 

After:

"chalk": "2.4.1"

[dhruvdutt]

Can you also suggest recommended security procedures for updating dependencies manually? One platform is snyk definitely.

[ematipico]

It's already in place in our CI. Another check would be to run npm audit in our CI and fail it if there are vulnerabilities

[dhruvdutt]

Yeah, we always check that while upgrading.
Not sure if we need to pin all dependencies explicitly.
@evenstensberg WDYT?

[evenstensberg]

Let's discuss this

[ematipico]

@evenstensberg This is the place to discuss it :) what do you think even?

@dhruvdutt during a dep installation, npm only installs the direct dependencies, no devs. So in theory only those should be fine, although hackers usually also put cryptocurrency scripts to get CPU clocks from the CIs. So let's just audit and security check everything and that's it.

[dhruvdutt]

Hmmm, makes sense. We can try pinning dependencies.
I will take the responsibility for upgrading packages every fortnight with a proper audit. ✋

[sendilkumarn]

Let us add dependabot here and pin the libraries. I think that makes sense with security.

[ematipico]

@evenstensberg what are your thoughts about this?

[evenstensberg]

We got snyk which I think is enough

[ematipico]

It's enough for us but unfortunately it's not enough for the security for the users

We know that if we don't pin our dependencies and there's no lock and it's not been used properly, the consumers will get into their dependency tree all the minor releases/fixes even though it shouldn't be like this.

Change is for who consumes the library