TLDR: Removed (vulnerable) dependency on cpy-cli. Symlinked the md files instead of copying them.
Full explanation
Previously we were copying README.md and LICENSE.md from the root of the monorepo into packages/iTwinUI-react. This was done because we wanted these files to be displayed in the github UI (when someone visits our repo) and also in the npm deliverable.
But copying files like this is bad for several reasons:
relies on a dependency.
extra step in package scripts. more to keep track of and potentially slow.
unnecessary file duplication. needs to be gitignored.
potentially causes confusion about which one is the source of truth.
The first of those four points is really the main reason. Npm packages that do file system manipulation often result in security vulnerabilities. This was the case when we were using cpx (previously) and this is still the case with cpy-cli (which we added in #668). The most recent annoyance is https://github.com/advisories/GHSA-w573-4hg7-7wgq. Removing the dependency fixes it while also avoiding any future vulnerabilities.
To get around the need to copy these files, I have created a symlink. The source file lives under packages/iTwinUI-react and has been symlinked in the root folder. Github understands unix symlinks and correctly displays the markdown (see my branch for confirmation). When we want to edit these files locally, we can just edit the one at the source location, instead of the one at the root. Win-win-win situation!
TLDR: Removed (vulnerable) dependency on
cpy-cli. Symlinked the md files instead of copying them.Full explanation
Previously we were copying
README.mdandLICENSE.mdfrom the root of the monorepo intopackages/iTwinUI-react. This was done because we wanted these files to be displayed in the github UI (when someone visits our repo) and also in the npm deliverable.But copying files like this is bad for several reasons:
The first of those four points is really the main reason. Npm packages that do file system manipulation often result in security vulnerabilities. This was the case when we were using
cpx(previously) and this is still the case withcpy-cli(which we added in #668). The most recent annoyance is https://github.com/advisories/GHSA-w573-4hg7-7wgq. Removing the dependency fixes it while also avoiding any future vulnerabilities.cpy-cli: https://github.com/iTwin/iTwinUI-react/actions/runs/3578242178/jobs/6018170741cpy-cli: https://github.com/iTwin/iTwinUI-react/actions/runs/3578343897/jobs/6018398598To get around the need to copy these files, I have created a symlink. The source file lives under
packages/iTwinUI-reactand has been symlinked in the root folder. Github understands unix symlinks and correctly displays the markdown (see my branch for confirmation). When we want to edit these files locally, we can just edit the one at the source location, instead of the one at the root. Win-win-win situation!