knownasilya
commented
6 years ago Audit is no longer a thing in the latest code, although those options are still in the commands. @davewasmer what's the goal here?
Open seawatts opened 6 years ago
knownasilya
commented
6 years ago Audit is no longer a thing in the latest code, although those options are still in the commands. @davewasmer what's the goal here?
davewasmer
commented
6 years ago I'm open to suggestions.
Ideally, I want to make security a "default" thing as much as possible in Denali. The Node Security Project (nsp) is a good resource that catalogs CVE's for Node projects and offers tools to programmatically analyze your package.json for vulnerable packages.
My gut says that this should be baked into Denali core, although I'm open to reasons why an addon might be better.
If it's core, then one question is when to run the check - on every single build? On production builds only? On CI only?
knownasilya
commented
6 years ago What about a denali audit command, which does nsp and maybe other things? Then a ci:test script could run audit and test.
davewasmer
commented
6 years ago Hm, yea, that could work.
Here's a slight tweak, lemme know what you think:
denali test, when run in a CI environment (i.e. $CI exists) will automatically run the audit step. You can add --skip-audit to avoid this step, but must explicitly add the flag (making security the default).
In a local environment, you can either run denali test --audit (which basically does the same as running in a CI environment - runs tests and audit), or you can run denali audit if you want just the audit results.
I think this approach is a good blend of security by default, while allowing for escape valves for folks that don't want it, and easy ways to track down problems locally when detected.
https://github.com/denali-js/denali/blob/82401b4517b94426c3d723981eafad6356fd39cf/commands/build.ts#L39