ToothlessGear / node-gcm

A NodeJS wrapper library port to send data to Android devices via Google Cloud Messaging
https://github.com/ToothlessGear/node-gcm
Other
1.3k stars 206 forks source link

Add snyk to fix vulnerabilities faster #354

Closed mtrezza closed 2 years ago

mtrezza commented 3 years ago

Add snyk to this repository to auto-create PRs to fix vulnerabilities instead of waiting for someone to open a manual PR.

mtrezza commented 3 years ago

@eladnava @ToothlessGear What do you think?

ToothlessGear commented 3 years ago

@mtrezza I'm open to give maintainer privileges to you, however maybe @eladnava and @hypesystem have some input too.

mtrezza commented 3 years ago

@ToothlessGear Thanks, I'll be happy to hear any input and obviously we would discuss any suggested changes to find the best way forward for the repo.

eladnava commented 3 years ago

@mtrezza @ToothlessGear I think it would be great to have automated vulnerability fix PRs. I'm more inclined to use GitHub's built-in Dependabot, however only the repo owner (@ToothlessGear) can enable it, by visiting this page: https://github.com/ToothlessGear/node-gcm/network/updates

Dependabot works similarly to Snyk by constantly scanning the project dependencies and alerting when a vulnerability is detected, and opening a PR with a fix if possible to do so in an automated way.

mtrezza commented 3 years ago

We usually use both in projects. snyk seems to be more aggressive when it comes to identifying vulnerabilities and seems to use a broader list. There are vulnerabilities that dependabot does not detect but snyk does, and sometimes vice versa, although snky tends to be more complete in my personal experience and as comparative studies show.

eladnava commented 3 years ago

@mtrezza Sounds good, in both cases @ToothlessGear will need to set these up as the repo owner. Here are instructions for each one:

1) Snyk 2) Dependabot

mtrezza commented 2 years ago

@ToothlessGear How should we proceed with this?

ToothlessGear commented 2 years ago

@mtrezza: I think I've set everything up now. Regardless, I also gave you Collaborator rights on the repo, as well as npm.

mtrezza commented 2 years ago

Thanks! I'll take a look soon.

PeterBurner commented 2 years ago

Any news?

mtrezza commented 2 years ago

It seems this has been addressed. I noticed Snyk just opened a PR. Closing.

It was a dependabot PR.

mtrezza commented 2 years ago

@ToothlessGear I've requested org access on Snky to set this up, you may have received an email.

ToothlessGear commented 2 years ago

@mtrezza Should be approved now.

mtrezza commented 2 years ago

It's strange that Snky doesn't seem to have opened even a single PR since it was added. But it seems to be set up properly. I've enabled Automatic dependency upgrade pull requests for the project (not the org), because I'd say we want dependencies always up-to-date, even if they don't have a vulnerability. Let's see if it creates more PRs now.

mtrezza commented 2 years ago

Snky is opening PRs, closing this.