update cve-scanning-node.yml and add npm update --save

finos / code-scanning

How to protect FINOS hosted projects from security threats and license compliance issues

Apache License 2.0

8 stars 5 forks source link

update cve-scanning-node.yml and add npm update --save #265

Closed josspo closed 1 year ago

josspo commented 1 year ago

adding the command npm update --save before running npx --yes auditjs ossi --whitelist allow-list.json to update dependency

maoo commented 1 year ago

@josspo - thanks for the PR.

Unfortunately we cannot add npm update in the build, otherwise the flawed dependencies would be updated to its latest version, and therefore change the outcome of the build.

It is also not advised to run npm update automatically; new versions should be manually updated and verified by developers.

Closing the PR.