**High priority** `npm audit --audit-level low` needs to pass with exit code 0 before prod.

[quinn-dougherty]

the nix expression will enforce this.

[quinn-dougherty]

@MatthewCroughan and @nixinator raised the question of internet connectivity: npm audit in a nix sandbox may be hard. I recently found this article which may be a lead-- it turns out GH is running npm audit database now. If there's an approach to pulling down the database locally, it would lie with GH.

[nixinator]

interesting, Nix and Nixos itself has https://broken.sh/ , which shows known CVE's for nixos packages.

However it's an automated script which is generated by https://github.com/flyingcircusio/vulnix

i'm thinking of building these into our pipe lines , but i'm not sure they cover npm ecosystems.

Maybe a solution to run these kind of these in build which allows limited network , just to gain a report. It's impure...but if it's not producing any binaries to be ship/consumed then it may work.

[nixinator]

on side note, packaging npm things into nix, can be tricky. However, it would be nice to know what the developers environment are, so i can build it myself even in a VM. If i make an exact copy of what they are using, it's going to make packaging of nix a lot easier.

Perhaps they can give me a VM tell me what the configuration of their build environment, OS etc etc. From that we can think of reproducible environment for this software.

[MatthewCroughan]

We now have Dependabot alerts in this repository since @elite0226 has started pushing package-lock.json files to the folders containing the applications. Does this not satisfy this issue?

Admins can go to https://github.com/ArdanaLabs/DanaSwapUI/settings/security_analysis to see the available settings.

[nixinator]

maybe query @quinn-dougherty and see how it aligns with his ideas/plan/ . Obviously free scans by github are a great addition.

[toastal]

A lot of issues here are related to all that tooling installed by create-react-app which is abstracting an entire other layer of tooling, ad infinitum, and it takes forever for patches to propagate up this entire chain of dependencies. It would be nice to eliminate, like, most of the tooling as it is complicated with more things going unused and making some questionable tooling choices. Unfortunately it's not as easy as npm audit --fix.

[MatthewCroughan]

@toastal this is why I'm hoping that Github's dependabot feature is good enough for our needs. Though, if we want to do this properly with Nix and our CI, we can have Hercules-CI run an effect which will succeed or fail just as if it were running in a container in a github action, except the whole process can be encoded with Nix in our flake.

[leomayleomay]

@MatthewCroughan I understand this might be a low priority issue comparing to other things in plate, is this still a thing at all? I mean do we need to address it with nix? cheers

[MatthewCroughan]

@leomayleomay I do not see how a static website has security vulnerabilities that effect us. NPM's security vulnerabilities are of no concern to us, as far as I can see. What security vulnerabilities are there in the html/js/css? If you can demonstrate a vulnerability that effects us, I would appreciate it.

[leomayleomay]

@toastal I reckon we might want to close this?

[toastal]

It appears react-scripts still exists in the monorepo

[leomayleomay]

@elite0226 any chance we will get rid of react-scripts?