-
Notifications
You must be signed in to change notification settings - Fork 128
Conversation
CI is failing because NSP is reporting quite a number of new vulnerabilities. |
Why would it be reporting new vulnerabilities? This should be all the packages we normally install. Does nsp look at package-lock for what it should check? (I didn't think it did, I recall getting errors for packages that we didn't directly require) |
This doesn't make any sense. I tried manually removing the line from the .npmrc file, re-running npm install locally, then doing |
nsp looks at |
I’m generating the package-lock locally (via npm install after removing the line from the .nsprc) and not seeing this error. Could someone else try? |
Trying ./node_modules/.bin/nsp check -o summary Report 2 vulnerabilities for me b/w I have npm 5.5.1 and already had .npmrc file with package-locak=false option |
Argh, I tried it again. First I got 13 vulnerabilities. (15 was reported in the CircleCI run for those keeping scores.) Then I'll run the tests again on CircleCI. |
@punamdahiya Try removing that line from your .npmrc, then re-running |
@6a68 tried deleting the entry in .npmrc and regenerating package-lock.json. It still complains about the above 2 vulnerabilities because of base64URL version 2.0.0 |
Not only I get a different number of vulnerabilities locally than CircleCI, but even the output format is different this time. |
8c7e8ff
to
e0f0ff3
Compare
Couple things:
|
Other than those things, this works OK for me (with a gigantic list of |
e0f0ff3
to
17ee617
Compare
Are the changes to |
Oh those are the results of npm audit fix. 👍 |
Is this ready to be merged? |
This doesn't change packages that require npm audit fix --force
nsp is deprecated. npm audit replaces it, but doesn't have any ability to ignore issues that we want to ignore. For now we're using npm audit || true to keep npm audit from making the build fail
17ee617
to
a5935e1
Compare
I feel unclear why this does or doesn't pass checks now, but let's say it's ready to merge and go from there! |
Per Bug 1475246, this is to keep our transitive dependencies locked