search

mongodb / docs-realm

Realm Database SDK documentation
https://www.mongodb.com/docs/realm/
44 stars 88 forks source link

Rename the Web package.json to stop Snyk PRs #3374

Closed dacharyc closed 1 month ago

dacharyc commented 1 month ago

Pull Request Info

After investigation to the Snyk integration, it seems we are unable to disable it for a specific directory or repository.

While we are evaluating long-term plans for the Web SDK test suite, getting unnecessary Snyk update PRs is disruptive and creates maintenance burden.

This PR renames the package.json file, which is one of the files that Snyk scans for, which should hopefully stop the Snyk dependency update PRs. The updated README provides instructions about the changes required to run the test suite locally and reinstate it in the future.

netlify[bot] commented 1 month ago

Deploy Preview for device-sdk ready!

Name Link
Latest commit e1f3ecdd7556dcda76c10a8b56fc3f56a529084c
Latest deploy log https://app.netlify.com/sites/device-sdk/deploys/66be1bb88bc14700089482ee
Deploy Preview https://deploy-preview-3374--device-sdk.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

docs-builder-bot commented 1 month ago

✨ Staging URL: https://preview-mongodbmongodb.gatsbyjs.io/realm/master/

🪵 Logs

MongoCaleb commented 1 month ago

As long as this doesn't cause Snyk to run and fail (file not found), I'm OK with it.

dacharyc commented 1 month ago

@MongoCaleb No guarantees, but according to Snyk documentation + internal documentation, Snyk runs on a scheduled cadence determined by the org and checks all the projects for files that list dependencies. The best info I could find suggests it's looking for specific naming conventions, i.e. package.json. If it finds a file matching the naming convention, it checks the dependencies and makes PRs for vulnerabilities (configurable by the org).

So - making our dependency file not match the naming conventions it scans for suggests it just "won't find" this dependency file and therefore won't make a PR.

But changing the name doesn't "cause Snyk to run and fail" - it runs on a scheduled cadence we can't control for all of the org's repos, and changing the name means it shouldn't find anything that it thinks it should update. 🤞