Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test(dep): update tap test runner to latest (18.7.1) #2563

Draft
wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

test(dep): update tap test runner to latest (18.7.1) #2563

wants to merge 11 commits into from

Conversation

bernardobridge
Copy link
Contributor

Description

We have a few dependency updates to do with our dev dependencies. This one was the biggest one, as there are some changes between tap 16 and 18.

Ended up making a couple of quality of life improvements too:

  • Set disable coverage and color options in a package.json tap config, so we don't have to add --color and coverage flags on every time
  • Also set export ARTILLERY_TELEMETRY_DEFAULTS='{\"source\":\"test-suite\"}' in the tap config

As a result, the npm scripts are now a lot shorter and it's harder to forget default flags/variables 馃憣

Pre-merge checklist

  • Does this require an update to the docs? No
  • Does this require a changelog entry? No

@socket-security Socket Security
Copy link

socket-security bot commented Mar 12, 2024
edited

New and removed dependencies detected. Learn more about Socket for GitHub 鈫楋笌

Package New capabilities Transitives Size Publisher
npm/@babel/core@7.23.7 environment, filesystem, unsafe Transitive: shell +49 10.7 MB nicolo-ribaudo
npm/@prisma/client@3.1.1 environment, filesystem, shell Transitive: eval, network +3 21.6 MB prismabot
npm/apollo-server@3.3.0 network Transitive: environment, eval, filesystem, shell +63 11.7 MB apollo-bot
npm/aws-sdk@2.1534.0 environment, filesystem, network, shell Transitive: eval +31 94.3 MB aws-sdk-bot
npm/aws4@1.12.0 environment 0 23.5 kB hichaelmart
npm/body-parser@1.20.2 network Transitive: environment, eval, filesystem, unsafe +13 540 kB dougwilson
npm/csv-parse@4.16.0 None 0 681 kB david
npm/eslint-config-airbnb-base@14.2.1 Transitive: environment, eval, filesystem, shell, unsafe +148 13.3 MB ljharb
npm/eslint-plugin-import@2.23.4 environment, filesystem, unsafe Transitive: eval, shell +145 13.2 MB ljharb
npm/express@4.18.2 environment, filesystem, network Transitive: eval, unsafe +21 933 kB dougwilson
npm/graphql@15.6.0 environment 0 2.12 MB i1g
npm/prisma@3.1.1 environment, eval, filesystem Transitive: network, shell +1 17.2 MB prismabot
npm/socket.io@3.1.2 filesystem, network Transitive: environment +12 5.03 MB darrachequesne
npm/sqlite3@5.0.2 Transitive: environment, eval, filesystem, network, shell +109 11.8 MB kewde_
npm/ws@7.4.6 network 0 113 kB lpinca

馃毊 Removed packages: npm/@aws-sdk/credential-providers@3.369.0, npm/@commitlint/cli@9.1.2, npm/@commitlint/config-conventional@7.6.0, npm/@hapi/basic@6.0.0, npm/@hapi/hapi@20.2.2, npm/@ngneat/falso@7.1.1, npm/@oclif/command@1.8.16, npm/@oclif/core@1.24.0, npm/@oclif/plugin-help@5.2.12, npm/@oclif/plugin-not-found@2.3.9, npm/@oclif/plugin-plugins@2.4.7, npm/@oclif/test@2.3.22, npm/@playwright/browser-chromium@1.42.1, npm/@playwright/test@1.42.1, npm/@types/chai@4.3.5, npm/@types/gradient-string@1.1.2, npm/@types/inquirer@8.2.5, npm/@types/js-yaml@4.0.5, npm/@types/mocha@9.1.1, npm/@types/tap@15.0.8, npm/agentkeepalive@4.2.1, npm/archiver@5.3.1, npm/arrivals@2.1.2, npm/artillery-plugin-fake-data@1.0.2, npm/async@2.6.4, npm/aws-sdk@2.1391.0, npm/chai@4.3.7, npm/cheerio@1.0.0-rc.10, npm/cli-highlight@2.1.11, npm/cookie-parser@1.4.6, npm/csv-parse@4.16.3, npm/decompress-response@6.0.0, npm/deep-for-each@3.0.0, npm/dependency-tree@10.0.9, npm/detective-es6@4.0.1, npm/dotenv@16.0.1, npm/driftless@2.0.3, npm/esbuild-wasm@0.19.8, npm/eslint-config-oclif-typescript@1.0.3, npm/eslint-config-oclif@4.0.0, npm/eslint-config-prettier@8.5.0, npm/eslint-plugin-prettier@4.0.0, npm/eslint@8.14.0

View full report鈫楋笌

@socket-security Socket Security
Copy link

socket-security bot commented Mar 12, 2024
edited

馃毃 Potential security issues detected. Learn more about Socket for GitHub 鈫楋笌

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/core-js-pure@3.18.1
  • Install script: postinstall
  • Source: node -e "try{require('./postinstall')}catch(e){}"
Install scripts npm/@prisma/engines@3.1.0-24.c22652b7e418506fab23052d569b85d3aec4883f
  • Install script: postinstall
  • Source: node download/index.js
Install scripts npm/@apollo/protobufjs@1.2.2
  • Install script: postinstall
  • Source: node scripts/postinstall
Install scripts npm/sqlite3@5.0.2
  • Install script: install
  • Source: node-pre-gyp install --fallback-to-build
Install scripts npm/@prisma/client@3.1.1
  • Install script: postinstall
  • Source: node scripts/postinstall.js
Install scripts npm/prisma@3.1.1
  • Install script: install
  • Source: node scripts/install-entry.js
Install scripts npm/prisma@3.1.1
  • Install script: preinstall
  • Source: node scripts/preinstall-entry.js

View full report鈫楋笌

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

  • @SocketSecurity ignore npm/core-js-pure@3.18.1
  • @SocketSecurity ignore npm/@prisma/engines@3.1.0-24.c22652b7e418506fab23052d569b85d3aec4883f
  • @SocketSecurity ignore npm/@apollo/protobufjs@1.2.2
  • @SocketSecurity ignore npm/sqlite3@5.0.2
  • @SocketSecurity ignore npm/@prisma/client@3.1.1
  • @SocketSecurity ignore npm/prisma@3.1.1

@bernardobridge bernardobridge force-pushed the bernardobridge/art-1682-update-tap-to-latest branch from e7882eb to afc1530 Compare March 13, 2024 12:02
@bernardobridge bernardobridge force-pushed the bernardobridge/art-1682-update-tap-to-latest branch from afc1530 to 4ce8c99 Compare March 13, 2024 12:15
@bernardobridge bernardobridge marked this pull request as draft April 15, 2024 13:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
run-aws-tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@bernardobridge