Closed kdenhartog closed 1 year ago
Hey @kdenhartog,
Use dependabot or something like it to automatically open PRs to fix vulnerable packages.
Thanks for the feedback, this is a valid concern!
We are currently investigating the best way to achieve that, but before putting any automated tool in place we will need to audit and update our thousands of dependencies which is a long process.
Is there anything I could help with for this? Brave is interested in sticking with directly using this repository for our wallet to support Ledger HW wallets rather than forking but we are concerned about the risk of supply chain attacks that we become susceptible to if this takes awhile to complete.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
bump to keep this ticket open as we still would like to see this completed.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
bump to keep this ticket open as we still would like to see this completed.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
Same here when running the yarn audit getting the following vulnerabilities in the package dependencies.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
can't remove label, so bumping via a comment again.
Hey @kdenhartog, sorry for the lack of response here but I just wanted to let you know that we have not forgotten this issue and that it is definitely on our roadmap 😉.
That's great to hear! I know these things can take time so thanks for the update that this is still in the works.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
bump so the bot doesn't close it. I know the team still intends to get to this when they get the time.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
bump
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
bump
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
This issue is stale because it has been open 30 days with no activity. Remove stale label, comment, or consider closing it.
Is there any progress on moving this one up on the backlog at this point?
Yes we are looking into it in the next few weeks. Sorry for the long waiting time. Bandwidth was not on our side but it has been prioritized.
Since the issue is about the setup, i'm closing it as we have setup renovate bot to help us with our dependencies update (this plus the security feature in Github allows us to tackle the important upgrade first, but this is a long term process)
Thanks again for the reports.
Awesome, that's great to hear! Thanks for setting that up which should be fine to make this work and make it easier for us to manage the transient dependencies we pick up from this.
Context
CI Pipeline / monorepo base package
Is your feature request related to a problem? Please describe.
Given many of the applications and code in this monorepo is strongly related to the security of cryptoassets this repo should be automatically failing CI checks if vulnerable packages are in use or automatically updating vulnerable code.
Describe the solution you'd like
Use dependabot or something like it to automatically open PRs to fix vulnerable packages.
Describe alternatives you've considered
This can be done with
pnpm audit --fix
to leverage the overrides capability of pnpm. However there's two downsides I've noticed by taking this approach. First off, this makes a modification to the package.json at the base of the repo which probably isn't ideal for long term maintainability. Second, this tool opts to relist the same package if there's multiple security advisories listed for the same package rather than setting the newest package version as the minimum. This ends up leading to issues where these things need to be manually updated instead.Alternatively this could be used as an alert to a developer on the team with only
pnpm audit
so that it can be manually updated when a CI pipeline fails running. This is probably the least favorable solution long term, but should work decently well for now.Additional context
Add any other context or screenshots about the feature request here.