Before releasing: understand what to do about package.json versions / OSS

[Zlatkovsky]

Need to understand what to do re. OSS. Namely:

1. Submit any necessary paperwork for the dependencies.
2. Are we supposed to use "^" versions of exact version numbers? (Also introduce a rule to enforce one or the other).
3. Do any shrinkwrapping to ensure that we indeed deploy with the appropriate dependencies

[nico-bellante]

Partially related to #1 in the sense that we need to also add the proper licenses to our own packages (editor, server), and appropriate readmes, etc.

[gergzk]

I ran our component detection locally and it didn't flag anything. Checking back with the owners to make sure I did that right.

Also chatted with @Zlatkovsky about potentially moving the build to Azure DevOps, then we can just enabled the component detection as a build step, which will handle yelling at us about automatic upgrades (or non-automatic non-upgrade that get out of support).

[gergzk]

We have 5 current violations. Each of these should be addressed either by actually fixing it, or dismissing it if that's appropriate (hit the ... next to the component and click dismiss, then justify).

Assigning to Michael to address these.

[gergzk]

@Zlatkovsky - assign back once these are cleared and I can run the tool again to confirm, or I can show you how to run the tool locally (which might be useful as you fix things).

[Zlatkovsky]

@gergzk , went through the list and dismissed with justifications. Will keep the issue on my plate for now, to track the more slightly-more-long-term thing of making sure we're doing the right thing with "^" versions and OSS approvals, and also that Travis/Azure DevOps uses the lock file when deploying. I'll chat with you offline more about it.

[Zlatkovsky]

https://github.com/OfficeDev/script-lab-react/pull/308 should fix this. (And Gergely is running the tool in one-off mode now).

@gergzk , after you're done, I think we can close this issue.

[gergzk]

Current state is here: https://office.visualstudio.com/OC/_componentGovernance/94704?_a=alerts&typeId=103794

We have one vulnerability, using hoek 4.2.1, which we should "update to a patched version of hoek"

[gergzk]

hoek is referenced via joi ^11.1.1 (already resolved to 11.4.0, which is the max matching version) through react-scripts in editor

[Zlatkovsky]

@gergzk , for hoek, I think we can dismiss the alert. I went to the portal and did that just now, with the following justification

Because hoek is used by react-scripts rather than actual user code, there is no risk of arbitrary code trying to modify proto, and so there is no "user input" to validate. Moreover, it would be had to update hoek, since it's an indirect dependency. I think it's OK to dismiss this alert.

We now have 0 reported vulnerabilities.

I'm re-assigning the issue to you to run it one more time after Nico finishes the Runner (which would have a small chance of bringing in new dependencies) -- but generally-speaking, I think we're doing good. Reducing the remaining time effort to just < 1 hour.

[Zlatkovsky]

@gergzk , could you please re-run the tool one last time? And after that, close the issue?

[gergzk]

Yep, I will do a run tomorrow morning

On Sun, Dec 2, 2018 at 7:22 PM Michael Zlatkovsky notifications@github.com wrote:

@gergzk https://github.com/gergzk , could you please re-run the tool one last time? And after that, close the issue?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OfficeDev/script-lab-react/issues/235#issuecomment-443577621, or mute the thread https://github.com/notifications/unsubscribe-auth/AXsyQVCCvmOqhhcdtMUcpCPW--e70Oqaks5u1JjqgaJpZM4XN1dA .

[gergzk]

We are OSS clean. Closing this bug. If yarn.lock changes again, just shout and I can re-run the tool ad-hoc.