Switch identifier to be taken from github_advisory_id
#217
Conversation
|
Is there a reason that this must be backwards incompatible? I certainly prefer using the GitHub identifiers, but it would be nice (not required) to have backwards compatibility. Also, I have to refresh my memory for identifiers used for Yarn & Yarn Berry. |
|
Note, the tests are failing because of advisory warnings in |
I first wanted to add both possibilities to use npm-numbers AND github-numbers, but since I currently can see that the npm-numbers are being changed many many times I opted against having this. I am firstly trying to find a solution for my company to use the non-changing github-numbers and then maybe try to find a way to make it backward compatible. FYI on the npm-number change. Two of our allowlist entries changed the npm-number 4 times in the last 48 hours!!! The GHSA-number stayed constant!!! |
|
If you can make the tests pass across Yarn, Yarn Berry, NPM 6, and NPM 7 with only GitHub identifiers, I will accept a non-backwards-compat PR 👍🏻 |
@quinnturner The thing I could not get to work so far is the allowlist format PS: I am not sure, if I can make NPM 6 work. It looks as all of the NPM requests are mocked and non are really going out, and I locally also don't have NPM 6 anymore to check how the json responses look. And I do not trust mocked responses where I manually change things 😉 |
|
I can appreciate the mocking concern. I am going to update all of the mocks with the latest live version in my other PR. If it can pass those mocks, I am satisfied! |
|
@quinnturner I rebased my changes on your Of course it is now harder to really see what my changes are. |
mobilutz
changed the title
github_advisory_idgithub_advisory_id
|
I am still working on the base branch. The NPM 7+ algorithm has to be revised, which is taking some time since the resolution of dependencies is complicated in NPM 7+. I hope to have a solution by today or tomorrow. |
|
Wanted to say thank you for everyone taking this on. 2nd time in a couple of days our vulns have been renumbered, and we take a hard line "Block builds" until it's resolved, so it's painful all round. |
@Stephen2 We temporarily switched off our js-auditing. |
|
@mobilutz we left our js auditing in place in our CI builds so we still get logs but by omitting a severity parameter it's not a blocking step in our pipelines. |
|
Hi there, please rebase this PR off of the latest I am also in the process of writing a codemod to help migrate users from v5 to v6, including this PR. |
@quinnturner done
That sounds very good. If you need support, you can ping me. PS: I was suprised as how little needed to change in the end after your node-12 upgrade together with the npm-ouputs updates! |
|
https://github.com/quinnturner/audit-ci-codemod, working on the CI and publishing to NPM. It reads your configuration (configurable path), then performs an in-place update:
|
|
@quinnturner Thanks for you feedback, I think I addressed everything. |
|
Released |
Background:
Two of our allowlist entries changed their npm-number 4 times in the last 48 hours!!!
This is a BREAKING CHANGE as the identifier that is used to identify advisories is being changed from numerical npm-identifier to string github-identifiers e.g.
GHSA-rvg8-pwq2-xj7qMaking this backward compatible is for couple of reasons not good:
urlattribute of the json responseNOTE: I bases this change not on🟢IBM:mainbutquinnturner:node-12branch so it has some changes not related to the pull-request in it. That was needed to make testswhich they are now😄