Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: Add depcheck test #7124

Merged
merged 1 commit into from
Sep 7, 2023
Merged

ci: Add depcheck test #7124

merged 1 commit into from
Sep 7, 2023

Conversation

Gudahtt
Copy link
Member

@Gudahtt Gudahtt commented Sep 4, 2023
edited
Loading

Development & PR Process

  1. Follow MetaMask Mobile Coding Standards
  2. Add release-xx label to identify the PR slated for a upcoming release (will be used in release discussion)
  3. Add needs-dev-review label when work is completed
  4. Add the appropiate QA label when dev review is completed
    • needs-qa: PR requires manual QA.
    • No QA/E2E only: PR does not require any manual QA effort. Prior to merging, ensure that you have successful end-to-end test runs in Bitrise.
    • Spot check on release build: PR does not require feature QA but needs non-automated verification. In the description section, provide test scenarios. Add screenshots, and or recordings of what was tested.
  5. Add QA Passed label when QA has signed off (Only required if the PR was labeled with needs-qa)
  6. Add your team's label, i.e. label starting with team- (or external-contributor label if your not a MetaMask employee)

Description

A test has been added to CI to ensure we don't accidentally leave packages in our manifest that aren't used, or forget to list packages in our mainfest.

We have a large number of seemingly unused or missing dependencies at the moment. Rather than fixing them all at once, they have been temporarily ignored. This lets us stop the problem from getting worse without delay. Each ignored dependency will be addressed in a later PR.

Issue

No related issue

Checklist

  • There is a related GitHub issue
  • Tests are included if applicable
  • Any added code is fully documented

@Gudahtt Gudahtt changed the title CI: Add depcheck test ci: Add depcheck test Sep 4, 2023
@socket-security
Copy link

New dependencies detected. Learn more about Socket for GitHub ↗︎

Packages Version New capabilities Transitives Size Publisher
depcheck 1.4.5 filesystem +25 8.25 MB rumpl

@socket-security
Copy link

socket-security bot commented Sep 4, 2023
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: global-prefix@1.0.2, resolve-dir@1.0.1, expand-tilde@2.0.2, homedir-polyfill@1.0.3, detect-file@1.0.0, deps-regex@0.1.4, source-map-js@1.0.2, parse-passwd@1.0.0, multimatch@5.0.0, require-package-name@2.0.1, global-modules@1.0.0, findup-sync@5.0.0, array-differ@3.0.0, callsite@1.0.0, arrify@2.0.1, depcheck@1.4.5

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

@Gudahtt
Copy link
Member Author

Gudahtt commented Sep 4, 2023

@SocketSecurity ignore-all

The unmaintained packages have no clear alternatives. The "new authors" are for versions ~6 years old. The one package with filesystem access is supposed to have filesystem access (depcheck needs to read the depcheck config file).

@Gudahtt Gudahtt added the No QA Needed Apply this label when your PR does not need any QA effort. label Sep 4, 2023
@codecov-commenter
Copy link

codecov-commenter commented Sep 4, 2023
edited
Loading

Codecov Report

Patch and project coverage have no change.

Comparison is base (eafdda1) 32.83% compared to head (44f43a4) 32.83%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #7124   +/-   ##
=======================================
  Coverage   32.83%   32.83%           
=======================================
  Files        1006     1006           
  Lines       32727    32727           
  Branches     8396     8396           
=======================================
  Hits        10745    10745           
  Misses      21982    21982

☔ View full report in Codecov by Sentry.

📢 Have feedback on the report? Share it here.

@Gudahtt Gudahtt added the needs-dev-review PR needs reviews from other engineers (in order to receive required approvals) label Sep 4, 2023
@Gudahtt Gudahtt marked this pull request as ready for review September 4, 2023 17:54
@Gudahtt Gudahtt requested a review from a team as a code owner September 4, 2023 17:54
@Gudahtt Gudahtt force-pushed the add-depcheck branch 2 times, most recently from 720b6fe to bb7e5e3 Compare September 6, 2023 14:27
@Gudahtt Gudahtt mentioned this pull request Sep 6, 2023
Merged
3 tasks
@Gudahtt Gudahtt force-pushed the add-depcheck branch 3 times, most recently from 2881991 to f0d15e3 Compare September 7, 2023 14:10
@Gudahtt
CI: Add depcheck test
44f43a4 
A test has been added to CI to ensure we don't accidentally leave
packages in our manifest that aren't used, or forget to list packages
in our mainfest.

We have a large number of seemingly unused or missing dependencies at
the moment. Rather than fixing them all at once, they have been
temporarily ignored. This lets us stop the problem from getting worse
without delay. Each ignored dependency will be addressed in a later PR.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 7, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

Cal-L
Cal-L approved these changes Sep 7, 2023
View reviewed changes
Copy link
Contributor

@Cal-L Cal-L left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Gudahtt Gudahtt removed the needs-dev-review PR needs reviews from other engineers (in order to receive required approvals) label Sep 7, 2023
@Gudahtt Gudahtt merged commit 7976cfd into main Sep 7, 2023
@Gudahtt Gudahtt deleted the add-depcheck branch September 7, 2023 20:54
@github-actions github-actions bot locked and limited conversation to collaborators Sep 7, 2023
@metamaskbot metamaskbot added the release-7.8.0 Issue or pull request that will be included in release 7.8.0 label Sep 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Cal-L Cal-L Cal-L approved these changes

Assignees
No one assigned
Labels
No QA Needed Apply this label when your PR does not need any QA effort. release-7.8.0 Issue or pull request that will be included in release 7.8.0 team-mobile-platform
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Gudahtt @codecov-commenter @Cal-L @metamaskbot