Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Fix npm audit fail issue 4803 #4948

Merged
merged 7 commits into from
Sep 27, 2018
Merged

Fix npm audit fail issue 4803 #4948

merged 7 commits into from
Sep 27, 2018

Conversation

g-k
Copy link
Contributor

@g-k g-k commented Sep 24, 2018
edited
Loading

Assuming no new insecure deps, this should fix #4803 (for CI at least).

OK this is finally ready for review. Sorry about all the spam in #screenshots on irc.

@g-k g-k force-pushed the fix-npm-audit-fail-issue-4803 branch 7 times, most recently from 287171f to b18f50a Compare September 25, 2018 19:21
@jaredhirsch
Copy link
Member

Sorry about all the spam in #screenshots on irc.

I'll take free help + irc spam any time you have spare cycles ^_^

jaredhirsch
jaredhirsch suggested changes Sep 26, 2018
View reviewed changes
Copy link
Member

@jaredhirsch jaredhirsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR 👍

The audit-filter binary is compiled for linux, so it won't run on mac. How hard would it be to add mac support?

@chenba
Copy link
Collaborator

chenba commented Sep 26, 2018

The npm version required is a problem locally until #4804 is fixed. (Or we could document that as a requirement for the project).

Greg Guthe added 7 commits September 26, 2018 16:27
readme: remove reference to nsp
6761534
remove comment from .nsprc
17cfc1e 
to make it valid JSON
npmrc: add exceptions for ReDoS in dev deps
4f4082e 
istanbul middleware
nsprc: add exception for adm-zip file write advisory
a59fd1d 
https://www.npmjs.com/advisories/681

at paths:

jpm > firefox-profile > adm-zip
web-ext > firefox-profile > adm-zip

These 1) run from build tools that already have access to local the local
filesystem and 2) do not take input files outside the repo
add npm lint:dep script to run npm audit with filter in CI
18321d4
ci: install npm@6.4.1 for audit support
f09f092
nsprc: switch to npmjs.org/advisories to fix filtering
e4ffef7
@g-k g-k force-pushed the fix-npm-audit-fail-issue-4803 branch from 0a1444d to e4ffef7 Compare September 26, 2018 20:29
@g-k
Copy link
Contributor Author

g-k commented Sep 26, 2018

OK made some changes:

Haven't tested this PR on OSX (have tested audit-filer), but try running: CI=1 npm run-script lint:deps

jaredhirsch
jaredhirsch approved these changes Sep 27, 2018
View reviewed changes
Copy link
Member

@jaredhirsch jaredhirsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I'm not sure I'm qualified to review all the platform detection code in the shell script, but it looks fine at a glance, and does work on mac. I also tried removing one of the .nsprc entries, and the linter correctly failed on the missing advisory. Merging.

@jaredhirsch jaredhirsch merged commit 292bde1 into master Sep 27, 2018
@jaredhirsch jaredhirsch deleted the fix-npm-audit-fail-issue-4803 branch September 27, 2018 00:20
@g-k g-k mentioned this pull request Oct 22, 2018
Merged
@renovate renovate bot mentioned this pull request Dec 10, 2018
Closed
1 task
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jaredhirsch jaredhirsch jaredhirsch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make npm audit fail the tests
3 participants
@g-k @jaredhirsch @chenba