Socket.dev reports on all our repos

expressjs / security-wg

Express.js Security Working Group

MIT License

9 stars 3 forks source link

Socket.dev reports on all our repos #17

Open wesleytodd opened 5 months ago

wesleytodd commented 5 months ago

I think we should add the Socket.dev tooling to all three orgs repos. It is easy to do, I have already done it for some personal repos and some work ones. I find it is the best in class for warning me about changes I might care about in updated dependencies. Anyone opposed to this? I could add it just to one for the time being if we wanted to try it out first.

cc @expressjs/express-tc @expressjs/security-wg

ctcpip commented 5 months ago

I don't really see any downside aside from the noise from comments. (Which shouldn't be just noise if it's doing anything useful.) And we can always remove it.

wesleytodd commented 5 months ago

The one thing I am not sure is how well it reports when we dont have lockfiles. There are good reasons not to have lock files for libraries, but it might be another thing to consider at some point. If we can get reliable automation around testing before publish with fully updated locks then ideally we can add them, but for now even just something to help tell us that a PR like this did not pull in anything surprising would be nice.

UlisesGascon commented 5 months ago

I think we should add the Socket.dev tooling to all three orgs repos.

Yes! 100%

The one thing I am not sure is how well it reports when we dont have lockfiles.

We can do a test and if this is an issue we can revert the integration or explore alternatives.

ctcpip commented 5 months ago

The one thing I am not sure is how well it reports when we dont have lockfiles.

IME with these tools, the only way to know for sure is to fork a repo and compare the results with and without a lock file.

wesleytodd commented 5 months ago

Now that I am thinking about it I think I have this running on some without lockfiles and it is working well. Examples:

https://github.com/wesleytodd/create-git/pull/54#issuecomment-1824636086 https://github.com/wesleytodd/cptmpl/pull/13#issuecomment-2055093492

UlisesGascon commented 5 months ago

Seems like we are good to add it. We can do a fast check with the team in the next TC meeting and enable it

wesleytodd commented 5 months ago

Yep I will add the agenda label. But yeah then I can enable it on a few to start.