Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: uncomment audit #2636

Merged
merged 1 commit into from
Jun 16, 2020
Merged

ci: uncomment audit #2636

merged 1 commit into from
Jun 16, 2020

Conversation

hiroppy
Copy link
Member

@hiroppy hiroppy commented Jun 3, 2020

  • This is a bugfix
  • This is a feature
  • This is a code refactor
  • This is a test update
  • This is a docs update
  • This is a metadata update

For Bugs and Features; did you add new tests?

no

Motivation / Use-Case

I hope the audit has been fixed on v4.

Breaking Changes

no

Additional Info

@hiroppy
Copy link
Member Author

hiroppy commented Jun 3, 2020
edited
Loading

hmm, need to update yargs-parser..
All of them are devDeps so I added --production flag to audit command. (also, devDeps aren't important)

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @commitlint/cli [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @commitlint/cli > meow > yargs-parser                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump >           │
│               │ git-semver-tags > meow > yargs-parser                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > git-semver-tags > meow > yargs-parser     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard-version > conventional-recommended-bump > meow >    │
│               │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

@codecov
Copy link

codecov bot commented Jun 3, 2020
edited
Loading

Codecov Report

Merging #2636 into v4 will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##               v4    #2636   +/-   ##
=======================================
  Coverage   92.35%   92.35%           
=======================================
  Files          34       34           
  Lines        1321     1321           
  Branches      373      373           
=======================================
  Hits         1220     1220           
  Misses         96       96           
  Partials        5        5

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d9cd8e1...fe89df3. Read the comment docs.

@hiroppy hiroppy force-pushed the feature/update-azure-pipelines branch from c185c35 to fe89df3 Compare June 3, 2020 12:43
@hiroppy
Copy link
Member Author

hiroppy commented Jun 14, 2020

@evilebottnawi please review this

alexander-akait
alexander-akait reviewed Jun 15, 2020
View reviewed changes
azure-pipelines.yml
# - script: npm run security
# displayName: 'Run NPM audit'
- script: npm audit --production
displayName: 'Run NPM audit'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why only production? In theory dev dependencies can be vulnerable too, but at the moment we’re not auditing anything at all, so let's merge

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right, but currently we can't fix yargs-parser issue. #2636 (comment)

@hiroppy hiroppy merged commit 6e9890e into v4 Jun 16, 2020
@hiroppy hiroppy deleted the feature/update-azure-pipelines branch June 16, 2020 05:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexander-akait alexander-akait alexander-akait approved these changes

@knagaitsev knagaitsev Awaiting requested review from knagaitsev

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hiroppy @alexander-akait