Merge pull request #1530 from guardian/dblatcher/facia-tool-deps

guardian · Nov 1, 2023 · ece9b6b · ece9b6b
2 parents 3f76ad7 + b129843
commit ece9b6b
Show file tree

Hide file tree

Showing 5 changed files with 126 additions and 73 deletions.
diff --git a/README.md b/README.md
@@ -111,6 +111,16 @@ In CODE the breaking news tool sends notifications to the "debug version" of the
 
 Breaking News is represented by a front called `breaking-news` which is considered to be a special case. It has a `Send Alert` button rather than a `Launch` button. Only one thing can be added to a collection at a given time. You cannot send the same alert twice, and snap links cannot be added / alerted on. Different collections represent different audience groups (eg by location or by subscription to different topics.) To add a new one, just create a container. New breaking news containers need to have the layout `breaking-news/not-for-other-fronts`.
 
+## Client-side vulnerabilities: Synk and JSPM
+
+The older client side tools (those with source code at /public/src - not the [Fronts-tool](#the-fronts-tool)) are bundled using [JSPM](https://jspm.org/). Instead of dependencies for the application being listed in the package.json file in the normal way, they are listed under "jspm" and compiled by JSPM using an import map.
+
+A side effect of this is that the vulnerabilities are not surfaced by Synk. To address this, there is a workaround to construct a "regular" package.json file out real one, and a custom action so that Synk can report on vulnerabilities (see [PR#1521](https://github.com/guardian/facia-tool/pull/1521)).
+
+To audit vulernabilities locally:
+ - `cd v1_jsmp_synk_workaround`
+ - `npm run preinstall` - generates the package.json file in the gitignored '/result' subfolder
+ - `npm run audit` - generates a lockfile in '/result' and runs the npm audit command - note you can append parameters for pn audit - eg `npm run audit --production > ./result/audit.txt`
 
 ## Troubleshooting
 ### Postgres

diff --git a/package.json b/package.json
@@ -21,17 +21,17 @@
  "fastselect": "github:dbrekalo/fastselect@0.2.0",
  "font-awesome": "npm:font-awesome@4.5.0",
  "grid-util-js": "npm:grid-util-js@1.0.5",
- "highcharts": "npm:highcharts@7.2.2",
+ "highcharts": "npm:highcharts@9.2.1",
  "jquery": "npm:jquery@2.2.3",
  "jquery-mockjax": "npm:jquery-mockjax@2.1.1",
  "jquery-ui": "github:jquery/jquery-ui@1.11.3",
- "knockout": "npm:knockout@3.4.0",
+ "knockout": "npm:knockout@3.5.1",
  "numeral": "npm:numeral@1.5.3",
  "panda-session": "github:guardian/panda-session@0.1.6",
  "raven-js": "npm:raven-js@2.3.0",
  "sinon": "npm:sinon@1.17.3",
  "text": "github:systemjs/plugin-text@0.0.7",
- "underscore": "npm:underscore@1.8.3"
+ "underscore": "npm:underscore@1.13.6"
  },
  "devDependencies": {
  "babel": "npm:babel-core@^6.0.0",