Skip to content
This repository has been archived by the owner on Jan 7, 2020. It is now read-only.

MAID-2662 chore/travis: adds yarn audit to CI #248

Closed
wants to merge 5 commits into from
Closed

MAID-2662 chore/travis: adds yarn audit to CI #248

wants to merge 5 commits into from

Conversation

hunterlester
Copy link
Contributor

Last commit upgrades deps based on:

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev coveralls@3.0.1  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ coveralls > request > hawk > boom > hoek                     │
├──────────────���┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼───────────────────────────���──────────────────────────────────┤
│ Path          │ coveralls > request > hawk > cryptiles > boom > hoek         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼────────────────────────────────────────────────────────���─────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ coveralls > request > hawk > hoek                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ coveralls > request > hawk > sntp > hoek                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼────���─────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ coveralls > request > tunnel-agent                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run  npm install --save-dev mocha@5.2.0  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > debug                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mocha > growl                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 7 vulnerabilities (1 low, 5 moderate, 1 critical) in 7092 scanned packages
  7 vulnerabilities require semver-major dependency updates.

@hunterlester
Copy link
Contributor Author

In order to use npm audit, I have Travis installing npm 6 and producing a package-lock.json, which which is correlating with over 200 lines of ForceSet errors that look like:

../../nan/nan_maybe_43_inl.h:130:35: note: 'ForceSet' has been explicitly marked deprecated here
NAN_DEPRECATED inline Maybe<bool> ForceSet(
                                  ^
../src/ffi.cc:59:3: warning: 'ForceSet' is deprecated [-Wdeprecated-declarations]
  SET_ENUM_VALUE(FFI_BAD_TYPEDEF);

Then I see an audit report, as seen in the PR description above.
The upgrade of coveralls breaks coverage testing. After the tests run successfully, the CI just hangs and the coverage testing or publishing never happens.

@bochaco The yarn team is working on incorporating an audit command: yarnpkg/yarn#5808.
Maybe we should put this task on hold until then or should I spend the time figuring out why coveralls won't run and why the vague ForceSet errors are occurring?

@hunterlester hunterlester changed the title MAID-2662 chore/travis: adds npm audit to CI [WIP]MAID-2662 chore/travis: adds npm audit to CI Jun 8, 2018
@hunterlester hunterlester changed the title [WIP]MAID-2662 chore/travis: adds npm audit to CI [WIP] MAID-2662 chore/travis: adds npm audit to CI Jun 8, 2018
@bochaco bochaco added this to In progress in Upcoming release ('master' branch) via automation Aug 7, 2018
@bochaco bochaco moved this from In progress to To do in Upcoming release ('master' branch) Aug 7, 2018
@hunterlester hunterlester changed the title [WIP] MAID-2662 chore/travis: adds npm audit to CI MAID-2662 chore/travis: adds yarn audit to CI Nov 6, 2018
@hunterlester hunterlester moved this from Needs triage to In Progress in Upcoming release ('master' branch) Nov 6, 2018
Upcoming release ('master' branch) automation moved this from In Progress to Done Nov 6, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement
Projects
Upcoming release ('master' branch)
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hunterlester @bochaco