search

hbz / lobid

Linking Open Bibliographic Data
https://lobid.org/
Eclipse Public License 2.0
15 stars 4 forks source link

Handle dependabot alerts #478

Closed dr0i closed 2 years ago

dr0i commented 2 years ago

IMO, as we control the complete input data (no user input possible), we could disable the dependabot alerts: https://github.com/hbz/lobid/settings/security_analysis Objections - thoughts?

acka47 commented 2 years ago

+1

fsteeg commented 2 years ago

But not all alerts have to be about user input, right? Shouldn't we take the same approach here as for SkoHub? (use devDependencies / run checks ourselves).

dr0i commented 2 years ago

Right @fsteeg, as discussed offline, we should do it like in https://github.com/skohub-io/skohub.io/issues/16.

katauber commented 2 years ago

+1

dr0i commented 2 years ago

After hours of trying to understand this, I still don't see how to follow the idea, as:

a) I don't know how to determine which javascript dependencies (looking at package.json) are going to public as static files after gatsby build aa) there are some js libraries checked in as plain files which are not even checked by dependabot (e.g. not one of the 60 vulnerabilities mention jquery-3.4.1 (which has a moderate vulnerability)) ab) gatsby uses webpack to build js bundles - see e.g. at http://lobid.org/team-en (yourBrowser->webdevtools->network->js) which are cryptic to me. Again, these are not checked by dependabot.

b) I can move all dependencies to devDependencies. But "npm install" will install them as if they would be normal dependencies. Ok then, an npm audit --production will ignore the devDependencies. What would we have gained by this?

I am still happy with having js as 1st-party (files served from our server in contrast to including files from some internet source). I also feel the vulnerabilities in aa) and ab) as neglectable. My educated evaluation: I still feel good enough wrt security (no server at risk - no input from users - where is the attack vector?).

So: I would just disable dependabot.

fsteeg commented 2 years ago

So: I would just disable dependabot.

+1

dr0i commented 2 years ago

Disabled dependabot. Closing.

dr0i commented 2 years ago

Note: as @acka47 pointed out, we could test the generated web sites with https://www.cypress.io/. We could do this in the future. We could then automatically test if dependencies break anything.