wenzowski
commented
2 years ago This looks like the continuation of https://github.com/button-inc/digital_marketplace/pull/11
Closed BCerki closed 2 years ago
wenzowski
commented
2 years ago This looks like the continuation of https://github.com/button-inc/digital_marketplace/pull/11
BCerki
commented
2 years ago There are a few known issues with
npm audit.
- No way to ignore advisories
- Unable to filter out low severity issues
- Ongoing network issues with NPM registry can cause false positives
- Noise from dev dependencies
Popular alternatives include:
I'd also recommend reviewing the Security tab and consider splitting off a new issue to configure CodeQL.
@wenzowski, general question: when you make a comment like this (there are other tools than the one I'm using that might be better), how does that translate to a to-do? Use npm audit but be aware there are limitations and consider something else next time? Research the popular alternatives and implement the one I think is best (or have a team discussion about what one is best and then implement that)?
wenzowski
commented
2 years ago I'd lean to decompose wherever possible. If there's an opportunity to achieve implementation npm audit --audit-level=moderate guardrail in an efficient manner, I'd ship that first before looking at additional dependencies. If, however, the builtin npm audit appears to be difficult to bring to passing state due to the frictions noted here I'd comment to that effect, close the npm audit PR without merging (leaving a reference here) and try one of the alternate tools (above) directly.
BCerki
commented
2 years ago This is linked to https://github.com/button-inc/digital_marketplace/issues/6--these updates will probably fix a lot of the issues
BCerki
commented
2 years ago Will switch to yarn so find a different audit
There are a few known issues with
npm audit.Popular alternatives include:
I'd also recommend reviewing the Security tab and consider splitting off a new issue to configure CodeQL.