Closed mdebarros closed 1 year ago
mdebarros
commented
1 year ago Proposal accepted by DA (@lewisdaly, @tdaly61, @MichaelJBRichards, @elnyry-sam-k, @mdebarros) on 2022-07-13.
Refer to minute meetings --> https://community.mojaloop.io/t/da-meeting-minutes-2022-07-13/451
naugtur
commented
1 year ago Hi @mdebarros npm-audit-resolver is supported. Sorry I didn't finish the v3 in time for you folks. Got swamped with way too many things and failed to get the community more engaged. if you install npm-audit-resolver@next it's working with npm 7 and 8 and I didn't make an official release (probably a mistake on my side) because I wanted to finish a few little things.
npm-audit-resolver is a bit safer than audit-ci in how it ignores things, so I hope to win you back one day ;)
mdebarros
commented
1 year ago Hi @mdebarros npm-audit-resolver is supported. Sorry I didn't finish the v3 in time for you folks. Got swamped with way too many things and failed to get the community more engaged. if you install npm-audit-resolver@next it's working with npm 7 and 8 and I didn't make an official release (probably a mistake on my side) because I wanted to finish a few little things.
npm-audit-resolver is a bit safer than audit-ci in how it ignores things, so I hope to win you back one day ;)
Thanks, @naugtur for the update. Very much appreciated!
However, take note that we have tried to roll out npm-audit-resolver@3.0.0-7, and experienced several consistency issues when making checks. We are seeing that our CI audit-checks fail intermittently due to failures reported by npm-audit-resolver...re-running the same (i.e. no changes) CI-Job would resolve the issue. This was one of the main reasons for moving away from npm-audit-resolver.
naugtur
commented
1 year ago That had nothing to do with npm-audit-resolver. It was an issue with GitHub where they gave different IDs to the same item over time. It was fixed after a while but for 3 months vulnerability IDs were changing occasionally.
Request Summary:
npm-audit-resolvercurrently does not fully support Node LTS (specifically NPM v7+) for checking and fixing audits. We have a semi-work-around with Snapshot v3.0.0-7 release, but it has several issues:npm audit --fixas a work-around.Here is the issue npm-audit-resolver/issues/34, with official
v3release being tracked here npm-audit-resolver/issues/60.Request Details:
Artifacts:
Dependencies:
Accountability:
Decision(s):
Due to the lack of maintenance on https://github.com/naugtur/npm-audit-resolver, I recommend we move to something that is more supported.
My suggestion is to use
audit-ciby IBM: https://github.com/IBM/audit-ci.Comparing
npm-audit-resolverandaudit-ci:audit-cioffering more advanced capabilities hereaudit-cisupports Node LTS, wherenpm-audit-resolverdoes notaudit-cisupport fornpmand other package managers, such asyarn, wherenpm-audit-resolveronly supportsnpm.audit-cidoes not have any expiry function. I think this is ok as we still have Github security (e.g. DependaBot) that is producing notifications and suggested PRs regardless of either of these tools. Thus the issue will still be visible.Details
Follow-up:
Core-team will roll-out the changes on ad-hoc as PR are created for bug-fixes, LTS-upgrades or general-maintenance.
PR example for these will be used as a reference when any future PRs are made, thus allowing not just Core-team but any contributors to be able to make this change. ~ @mdebarros to provide
[ ] Actions to implement the decisions