Revert loosening of npm audit strictness #1317
Assignees
Labels
Comments
Closed
1 task
rajsite
pushed a commit
that referenced
this issue
Jun 22, 2023
# Pull Request ## 🤨 Rationale Workaround for #1317. We'll use that issue to track re-enabling strict auditing. ## 👩💻 Implementation The current error is a `moderate` vulnerability so changing the level to `high` should temporarily allow it ## 🧪 Testing Pipeline ## ✅ Checklist <!--- Review the list and put an x in the boxes that apply or ~~strike through~~ around items that don't (along with an explanation). --> - [ ] I have updated the project documentation to reflect my changes or determined no changes are needed.
jattasNI
changed the title
Merged
1 task
jattasNI
added a commit
that referenced
this issue
Jun 23, 2023
…enable audit for prod (#1322) # Pull Request ## 🤨 Rationale Fixes #1317. The `npm audit` of production dependencies was failing because of deps that Storybook brought in. But Storybook should really be a dev dependency. Storybook is listed as a production dependency because it's in `peerDependencies` in the root `package.json`. We added it there in [this commit](321cdd3) of the PR that migrated us to Storybook 7. I believe the rationale was that it was necessary to apply [a patch](https://github.com/ni/nimble/blob/main/patches/%40storybook%2Bhtml%2B7.0.0.patch) to the package. (I'd like to remove that patch but I think it's not possible until storybookjs/storybook#22384 is available. Currently it's only released in an alpha branch) ## 👩💻 Implementation 1. Remove `@storybook/html` from `peerDependencies` in the root `package.json` 2. `git clean -fdx` 3. `npm install` to regenerate `package-lock.json` 4. Re-enable audit for all severity levels for prod dependencies ## 🧪 Testing I locally verified that the patch was still applied to the file inside node_modules. If it isn't applied, I believe we'd see a build error. I locally verified that `npm audit --only=prod` succeeds now. Otherwise relying on the PR build. ## ✅ Checklist <!--- Review the list and put an x in the boxes that apply or ~~strike through~~ around items that don't (along with an explanation). --> - [ ] I have updated the project documentation to reflect my changes or determined no changes are needed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
🧹 Tech Debt
The
npm auditstep of our pipeline was failing due to a vulnerability with semver. We made it less strict in #1318 to get the build passing, but we should fix the vulnerability and make it strict again instead.The text was updated successfully, but these errors were encountered: