Security: Pinning dependencies, running npm audit in ci - Githubissues

discipl / waardepapieren

project for consortium of municipalities digitizing PoE services

GNU General Public License v3.0

7 stars 3 forks source link

Security: Pinning dependencies, running npm audit in ci #79

Closed pimotte closed 5 years ago

pimotte commented 5 years ago

For each of the following projects, we should switch to pinned versions for all dependencies:

core-baseconnector
core-ephemeral (done in https://github.com/discipl/discipl-core-ephemeral/pull/26)
core (done in https://github.com/discipl/core/pull/45)
abundance-service (done in https://github.com/discipl/discipl-abundance-service/pull/13)
paper-wallet (done in https://github.com/discipl/discipl-paper-wallet/pull/11)
waardepapieren-service (done in #80)

For each of these repo's we should:

Change all version numbers to be static (without ~ or ^)
Run npm audit in the ci (and have the ci fail if there are security issues)
Change the name of the "build" task to "prepack" (this will automatically execute when running npm pack). Not a security issue, but prevents us from accidently releasing mismatched src/ and dist/ folders.