ericfranz
commented
4 years ago This can likely be done completely in a TravisCI cron job, or GitHub action. Having a rake task or a shell script that executes the checks is also okay. There is no requirement to modify any of the app Gemfiles etc. For example, you can install the required dependencies in before_script in TravisCI. Such as something like:
before_script:
- gem install -g bundle-audit
- npm install -g yarn
- bundle-audit update
script:
- (cd apps/shell; yarn audit --level moderate)
- (cd apps/dashboard; bundle-audit)
- (cd apps/myjobs; bundle-audit)If we do this before replacing the files app we might omit the files app for now. There is a lot of noise due to old dependencies that have DoS issues which are not relevant to OnDemand (each server is serving only 1 user). We could try filtering those out using . But the sooner we drop cloudcmd the better in this regard.
matt257
GitHub reports dependency checks on master but not on other branches. For master and release branches such as release_1.7 and release_1.6 (we would manually specify, since we are going only several versions back), we would run this audit via TravisCi or GitLab or even GitHub Actions. Or it could even be done at OSC by cloning the repo, checking out a branch, and running the audit there.
What matters is that it is run every day i.e. a cron.
Essentially what is required is a rake task, something like
rake dependency:auditin the root of this repo that:yarn auditfor all npm packagesWe may need to be able to intentionally suppress a warning for a particular package if we know it doesn't affect the project and upgrading will introduce challenges.
┆Issue is synchronized with this Asana task by Unito