Closed mdebarros closed 1 year ago
Proposal accepted by DA (@lewisdaly, @tdaly61, @MichaelJBRichards, @elnyry-sam-k, @mdebarros) on 2022-07-13.
Refer to minute meetings --> https://community.mojaloop.io/t/da-meeting-minutes-2022-07-13/451
Hi @mdebarros npm-audit-resolver is supported. Sorry I didn't finish the v3 in time for you folks. Got swamped with way too many things and failed to get the community more engaged. if you install npm-audit-resolver@next it's working with npm 7 and 8 and I didn't make an official release (probably a mistake on my side) because I wanted to finish a few little things.
npm-audit-resolver is a bit safer than audit-ci in how it ignores things, so I hope to win you back one day ;)
Hi @mdebarros npm-audit-resolver is supported. Sorry I didn't finish the v3 in time for you folks. Got swamped with way too many things and failed to get the community more engaged. if you install npm-audit-resolver@next it's working with npm 7 and 8 and I didn't make an official release (probably a mistake on my side) because I wanted to finish a few little things.
npm-audit-resolver is a bit safer than audit-ci in how it ignores things, so I hope to win you back one day ;)
Thanks, @naugtur for the update. Very much appreciated!
However, take note that we have tried to roll out npm-audit-resolver@3.0.0-7, and experienced several consistency issues when making checks. We are seeing that our CI audit-checks
fail intermittently due to failures reported by npm-audit-resolver
...re-running the same (i.e. no changes) CI-Job would resolve the issue. This was one of the main reasons for moving away from npm-audit-resolver
.
That had nothing to do with npm-audit-resolver. It was an issue with GitHub where they gave different IDs to the same item over time. It was fixed after a while but for 3 months vulnerability IDs were changing occasionally.
Request Summary:
npm-audit-resolver
currently does not fully support Node LTS (specifically NPM v7+) for checking and fixing audits. We have a semi-work-around with Snapshot v3.0.0-7 release, but it has several issues:npm audit --fix
as a work-around.Here is the issue npm-audit-resolver/issues/34, with official
v3
release being tracked here npm-audit-resolver/issues/60.Request Details:
Artifacts:
Dependencies:
Accountability:
Decision(s):
Due to the lack of maintenance on https://github.com/naugtur/npm-audit-resolver, I recommend we move to something that is more supported.
My suggestion is to use
audit-ci
by IBM: https://github.com/IBM/audit-ci.Comparing
npm-audit-resolver
andaudit-ci
:audit-ci
offering more advanced capabilities hereaudit-ci
supports Node LTS, wherenpm-audit-resolver
does notaudit-ci
support fornpm
and other package managers, such asyarn
, wherenpm-audit-resolver
only supportsnpm
.audit-ci
does not have any expiry function. I think this is ok as we still have Github security (e.g. DependaBot) that is producing notifications and suggested PRs regardless of either of these tools. Thus the issue will still be visible.Details
Follow-up:
Core-team will roll-out the changes on ad-hoc as PR are created for bug-fixes, LTS-upgrades or general-maintenance.
PR example for these will be used as a reference when any future PRs are made, thus allowing not just Core-team but any contributors to be able to make this change. ~ @mdebarros to provide
[ ] Actions to implement the decisions