Remove bitHound before May 30th, 2018

[tshemsedinov]

Please be advised that the bitHound service will be shutting down on May 30th, 2018. // Dan Silivestru, CEO bitHound

[belochub]

After doing some searching, I think, we have two other similar services to migrate to, which are Code Climate and Codacy. They both support JavaScript projects and seem to be free for open source projects. Also, from what I've read about its features Codacy looks more similar to the BitHound than Code Climate, so I think it's better to try out Codacy at first.

[tshemsedinov]

@belochub great, we will move all ours libraries to new quality monitoring tool, especially dependency checker. JSTP have Codacy registeration https://app.codacy.com/app/metarhia/jstp/dashboard but it have no appropriate dependency checker. On the other hand Code Climate allows just one free repository per account.

[belochub]

@tshemsedinov, I think GitHub can already be used as a somewhat reliable dependency checker. It shows warnings about outdated and vulnerable dependencies on this page: https://github.com/metarhia/jstp/network/dependencies.

[aqrln]

@tshemsedinov, as @belochub mentioned above, checking for insecure dependencies that have CVE IDs is now built in to GitHub. Alas, it doesn't show the path in the dependency tree and doesn't indicate whether an item is a dependency or a devDependency.

For a broader security database (and probably better UX), we can use Snyk, which bitHound has relied upon, directly. Apart from monitoring, it can automatically open PRs with updated dependencies, when there are official fixes by package maintainers, or sometimes their own patches/backports. Speaking about automation, there's a popular service named Greenkeeper, which, whenever a new version of a dependency is published, tries to update it in a temporary branch, runs the CI, and, depending on the outcome, opens a PR or an issue.

Another vulnerability database and Snyk's main competitor — Node Security Platform — has been acquired by npm recently. The new npm 6 already implements the client-side functionality and will start printing warnings on npm install and providing reports on npm audit as soon as the registry supports it on the server-side. And the CLI command to check for outdated dependencies — npm outdated — has received some refinements in the latest release too.

[aqrln]

A thing to keep in mind about Snyk: even though bitHound uses its vulnerability database, the result of analysis differs among them. At the moment, bitHound warns about deep insecure dependencies of GitBook, but a quick run of Snyk (that's available for any public package/repo without enabling integration) shows no problems, because it only checks runtime dependencies and ignores devDependencies. The only way to analyze the devDependencies is by using the CLI (snyk test --dev). bitHound did that for us automatically. Furthermore, you might notice that GitHub warns about hoek@2.16.3, but bitHound doesn't, despite its (or, technically, Snyk's) database being bigger. This is the second pitfall: both Snyk and bitHound don't support package-locks/shrinkwraps. But running npx snyk test --dev locally warns about hoek too, because it analyzes the contents of node_modules directly. Keeping the current list of dependencies to be notified about vulnerabilities in up-to-date also seems to be manual. In other words, while bitHound just worked, Snyk requires some configuration and integration with the CI pipeline to be useful.

[tshemsedinov]

You know, I would prefer not to have dependencies at all :)

[aqrln]

UPD: npm audit is available in npm@5.10 too.