Patch dependencies and fail builds for known npm package vulnerabilities

cfpb / regulations-site

(DEPRECATED) Web interface for viewing U.S. federal regulations and other regulatory information

Other

28 stars 43 forks source link

Patch dependencies and fail builds for known npm package vulnerabilities #798

Closed ascott1 closed 8 years ago

ascott1 commented 8 years ago

This does two things:

Patches a few nested dependencies
Sets up the tool Synk to test our npm dependencies and fail builds and Travis if there are any known vulnerabilities

ascott1 commented 8 years ago

One thing that might be annoying... the ./frontendbuild.sh command will fail if there's a known vulnerability. This could be a good thing as it would force a person to fix that before moving on, but it could also be a frustration point. Thoughts?

willbarton commented 8 years ago

@ascott1 theoretically, with version pinning and shrinkwrapping, this is something that would be encountered when dealing with new versions, correct? Or would be dealt with upstream? This wouldn't be a regular occurrence for an end-user?

ascott1 commented 8 years ago

@willbarton that's correct. It should be a very rare occurrence for any end-user.

willbarton commented 8 years ago

@ascott1 then I'd say the benefits seem to vastly outweigh the potential frustration.

:+1: