Closed dr0i closed 2 years ago
+1
But not all alerts have to be about user input, right? Shouldn't we take the same approach here as for SkoHub? (use devDependencies / run checks ourselves).
Right @fsteeg, as discussed offline, we should do it like in https://github.com/skohub-io/skohub.io/issues/16.
+1
After hours of trying to understand this, I still don't see how to follow the idea, as:
a) I don't know how to determine which javascript dependencies (looking at package.json
) are going to public
as static files after gatsby build
aa) there are some js libraries checked in as plain files which are not even checked by dependabot (e.g. not one of the 60 vulnerabilities mention jquery-3.4.1
(which has a moderate vulnerability))
ab) gatsby uses webpack
to build js bundles - see e.g. at http://lobid.org/team-en (yourBrowser->webdevtools->network->js) which are cryptic to me. Again, these are not checked by dependabot.
b) I can move all dependencies
to devDependencies
. But "npm install" will install them as if they would be normal dependencies
. Ok then, an npm audit --production
will ignore the devDependencies
. What would we have gained by this?
I am still happy with having js as 1st-party (files served from our server in contrast to including files from some internet source). I also feel the vulnerabilities in aa) and ab) as neglectable. My educated evaluation: I still feel good enough wrt security (no server at risk - no input from users - where is the attack vector?).
So: I would just disable dependabot.
So: I would just disable dependabot.
+1
Disabled dependabot. Closing.
Note: as @acka47 pointed out, we could test the generated web sites with https://www.cypress.io/. We could do this in the future. We could then automatically test if dependencies break anything.
IMO, as we control the complete input data (no user input possible), we could disable the dependabot alerts: https://github.com/hbz/lobid/settings/security_analysis Objections - thoughts?