-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch identifier to be taken from github_advisory_id
#217
Conversation
Is there a reason that this must be backwards incompatible? I certainly prefer using the GitHub identifiers, but it would be nice (not required) to have backwards compatibility. Also, I have to refresh my memory for identifiers used for Yarn & Yarn Berry. |
Note, the tests are failing because of advisory warnings in |
I first wanted to add both possibilities to use npm-numbers AND github-numbers, but since I currently can see that the npm-numbers are being changed many many times I opted against having this. I am firstly trying to find a solution for my company to use the non-changing github-numbers and then maybe try to find a way to make it backward compatible. FYI on the npm-number change. Two of our allowlist entries changed the npm-number 4 times in the last 48 hours!!! The GHSA-number stayed constant!!! |
If you can make the tests pass across Yarn, Yarn Berry, NPM 6, and NPM 7 with only GitHub identifiers, I will accept a non-backwards-compat PR 👍🏻 |
@quinnturner The thing I could not get to work so far is the allowlist format PS: I am not sure, if I can make NPM 6 work. It looks as all of the NPM requests are mocked and non are really going out, and I locally also don't have NPM 6 anymore to check how the json responses look. And I do not trust mocked responses where I manually change things 😉 |
I can appreciate the mocking concern. I am going to update all of the mocks with the latest live version in my other PR. If it can pass those mocks, I am satisfied! |
@quinnturner I rebased my changes on your Of course it is now harder to really see what my changes are. |
github_advisory_id
github_advisory_id
I am still working on the base branch. The NPM 7+ algorithm has to be revised, which is taking some time since the resolution of dependencies is complicated in NPM 7+. I hope to have a solution by today or tomorrow. |
Wanted to say thank you for everyone taking this on. 2nd time in a couple of days our vulns have been renumbered, and we take a hard line "Block builds" until it's resolved, so it's painful all round. |
@Stephen2 We temporarily switched off our js-auditing. |
@mobilutz we left our js auditing in place in our CI builds so we still get logs but by omitting a severity parameter it's not a blocking step in our pipelines. |
Hi there, please rebase this PR off of the latest I am also in the process of writing a codemod to help migrate users from v5 to v6, including this PR. |
@quinnturner done
That sounds very good. If you need support, you can ping me. PS: I was suprised as how little needed to change in the end after your node-12 upgrade together with the npm-ouputs updates! |
https://github.com/quinnturner/audit-ci-codemod, working on the CI and publishing to NPM. It reads your configuration (configurable path), then performs an in-place update:
|
@quinnturner Thanks for you feedback, I think I addressed everything. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perfect, thank you for your efforts! I will release 6.0.0-beta.1
, do some last minute checks, then follow up with 6.0.0
Released |
Background:
Two of our allowlist entries changed their npm-number 4 times in the last 48 hours!!!
This is a BREAKING CHANGE as the identifier that is used to identify advisories is being changed from numerical npm-identifier to string github-identifiers e.g.
GHSA-rvg8-pwq2-xj7q
Making this backward compatible is for couple of reasons not good:
url
attribute of the json responseNOTE: I bases this change not on🟢IBM:main
butquinnturner:node-12
branch so it has some changes not related to the pull-request in it. That was needed to make testswhich they are now😄