Enable audit-filter for npm dependencies for all packages in monorepo #2229
Assignees
Milestone
Comments
jaredhirsch
changed the title
This was referenced Sep 6, 2019
jaredhirsch
added a commit
that referenced
this issue
Nov 14, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? As a workaround, I've added exceptions where npm wasn't able to fixup vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
that referenced
this issue
Nov 14, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
that referenced
this issue
Nov 15, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
that referenced
this issue
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
that referenced
this issue
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
jaredhirsch
added a commit
that referenced
this issue
Nov 18, 2019
* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #2228 and inspired by the checklist item in #1128, let's make sure transitive dependencies are up-to-date across the whole monorepo. Copying in the checklist item from #1128 for guidance, and adding checkboxes for each package within the monorepo:
Packages with
npm audit --jsonintegrated into testing via alint:depsnpm task:Security guidance for reference:
npm auditwith audit-filter to review and handle exceptions (see example in speech-proxy)The text was updated successfully, but these errors were encountered: