ci: security patching upgrades #156
Conversation
.eslintrc.js
Outdated
| extends: [ | ||
| "eslint:recommended", | ||
| "plugin:node/recommended" | ||
| ], |
There was a problem hiding this comment.
Please don't change the ESLint config.
| # the `language` matrix defined below to confirm you have the correct set of | ||
| # supported CodeQL languages. | ||
| # | ||
| name: "CodeQL" |
There was a problem hiding this comment.
Interesting, I didn't know about CodeQL. Is there a preview of what kind of things this would report? I'm only concerned if it would add noise like it's often the case with npm audit and Dependabot (see e.g. npm audit: Broken by Design).
If it provides helpful suggestions then I'm open. I'm wondering though if it has to run in a cron job? Since it analyses the code, doesn't it make sense to run it when code changes?
There was a problem hiding this comment.
Honestly I don't know too much as well ^^
I just threw all these scanners because my team is complaining about "vulnerabilities". I'm not sure if they don't raise false positives like the examples given in that blog post (Dan the man!)
Anyways it looks like this, and so far only the generated files are getting flagged. I added a config file to ignore dist so nothing should show up in the main(this) repository.
There was a problem hiding this comment.
Ok, thanks for the additional info then! 🙂
Well if there's no strong reason to introduce this currently, then I'd wait with the code scanners.
| # This workflow integrates njsscan with GitHub's Code Scanning feature | ||
| # nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications | ||
|
|
||
| name: njsscan sarif |
There was a problem hiding this comment.
Doesn't this do the same thing as CodeQL?
There was a problem hiding this comment.
I just threw the whole kitchen sink here ^^
I can remove it if you don't want this scanner.
| "jest": "24.9.0", | ||
| "eslint": "8.8.0", | ||
| "eslint-plugin-node": "^11.1.0", | ||
| "jest": "27.4.7", |
There was a problem hiding this comment.
Upgrading dependencies is fine, thanks! But please don't change the ESLint config.
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
xuatz
force-pushed
the
master
branch
2 times, most recently
from
a730baa to
faf89b4
Compare
xuatz
changed the title
|
Thanks a lot @xuatz! |
|
🎉 This PR is included in version 4.0.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
Summary
Just small deps bumps which I think is pretty trivial.
Details
Had to rollback the eslint upgrade because v8 introduced some breaking changes for
eslint-config-molindo.Jest seems to be working fine as well.
Feel free to squash the commits 👍
Notes
I don't expect this PR to get merged as-is, but just want to show you the stuff I'm doing.Let me know what do you want, or if its shorter, what you don't want, then I will clean it up to make a PR for amannn/action-semantic-pull-request