Add snyk to fix vulnerabilities faster

[mtrezza]

Add snyk to this repository to auto-create PRs to fix vulnerabilities instead of waiting for someone to open a manual PR.

[mtrezza]

@eladnava @ToothlessGear What do you think?

[ToothlessGear]

@mtrezza I'm open to give maintainer privileges to you, however maybe @eladnava and @hypesystem have some input too.

[mtrezza]

@ToothlessGear Thanks, I'll be happy to hear any input and obviously we would discuss any suggested changes to find the best way forward for the repo.

[eladnava]

@mtrezza @ToothlessGear I think it would be great to have automated vulnerability fix PRs. I'm more inclined to use GitHub's built-in Dependabot, however only the repo owner (@ToothlessGear) can enable it, by visiting this page: https://github.com/ToothlessGear/node-gcm/network/updates

Dependabot works similarly to Snyk by constantly scanning the project dependencies and alerting when a vulnerability is detected, and opening a PR with a fix if possible to do so in an automated way.

[mtrezza]

We usually use both in projects. snyk seems to be more aggressive when it comes to identifying vulnerabilities and seems to use a broader list. There are vulnerabilities that dependabot does not detect but snyk does, and sometimes vice versa, although snky tends to be more complete in my personal experience and as comparative studies show.

[eladnava]

@mtrezza Sounds good, in both cases @ToothlessGear will need to set these up as the repo owner. Here are instructions for each one:

1) Snyk 2) Dependabot

[mtrezza]

@ToothlessGear How should we proceed with this?

[ToothlessGear]

@mtrezza: I think I've set everything up now. Regardless, I also gave you Collaborator rights on the repo, as well as npm.

[mtrezza]

Thanks! I'll take a look soon.

[PeterBurner]

Any news?

[mtrezza]

It seems this has been addressed. I noticed Snyk just opened a PR. Closing.

It was a dependabot PR.

[mtrezza]

@ToothlessGear I've requested org access on Snky to set this up, you may have received an email.

[ToothlessGear]

@mtrezza Should be approved now.

[mtrezza]

It's strange that Snky doesn't seem to have opened even a single PR since it was added. But it seems to be set up properly. I've enabled Automatic dependency upgrade pull requests for the project (not the org), because I'd say we want dependencies always up-to-date, even if they don't have a vulnerability. Let's see if it creates more PRs now.

[mtrezza]

Snky is opening PRs, closing this.