Setup audit github actions, which will scan for npm packages vulnerabilities

NIAEFEUP / tts-fe

A platform where students can experiment with the possible combination of schedule options they can pick at the start of the semester

https://tts.niaefeup.pt

10 stars 1 forks source link

Setup audit github actions, which will scan for npm packages vulnerabilities #224

Open tomaspalma opened 2 months ago

tomaspalma commented 2 months ago

Before merging a pull request, we should have an action that checks if vulnerabilities were found in any of the packages

thePeras commented 1 month ago

I have just enabled the first, which already done that with dependabot. Should we enable the second one to open a PR?

Feel free to config these settings in your self

tomaspalma commented 1 month ago

Thank you!

I think that the dependabot part might be more suitable for the #225 issue.

This one was more to have the npm run audit command ran when a PR tried to merge into the develop. Although the dependabot will alert for vulnerabilities for dependencies already in our project, it won't alert for new dependencies that will be merged by a PR.

Should we enable the second one to open a PR?

I believe it is a good idea even though it may add noise to the PR tab, security is important