search

mozilla / fxa

Monorepo for Mozilla Accounts (formerly Firefox Accounts)
https://mozilla.github.io/ecosystem-platform/
Mozilla Public License 2.0
593 stars 210 forks source link

Set up Snyk and/or yarn audit? #13107

Closed pdehaan closed 2 years ago

pdehaan commented 2 years ago

Description

Was reading https://alexkondov.com/tao-of-node/#use-snyk this morning and it might be useful to set up for FxA pipeline. Although I'm not sure how it works w/ monorepos.

Was also taking a look at https://yarnpkg.com/cli/npm/audit#examples the other day and wondering if we should use it, or if we already are using npm audit w/ audit-filter and that gives similar results.

yarn npm audit -AR --severity=high --environment=production

We could also add the --json flag if we want to add more filtering or ignore certain dependencies, similar to what we did w/ audit-filter.

┆Issue is synchronized with this Jira Task

pdehaan commented 2 years ago

UPDATE: Filed separately as https://github.com/mozilla/fxa/issues/13476 since I noticed this again while auditing some recent package.json PRs.

I tried yarn workspaces foreach --verbose run audit and it seems to throw a bunch of errors, so not sure if it expects a package-lock.json file in each package.

git grep -n "audit" packages/*/package.json | grep -v '"audit-filter"'

packages/123done/package.json:42:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/browserid-verifier/package.json:47:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fortress/package.json:41:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-admin-server/package.json:9:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-auth-server/package.json:14:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-content-server/package.json:8:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-customs-server/package.json:20:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-event-broker/package.json:6:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-geodb/package.json:11:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-graphql-api/package.json:9:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-payments-server/package.json:10:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-profile-server/package.json:8:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-shared/package.json:21:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-support-panel/package.json:12:    "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",

For example, if I run npm audit from packages/fxa-content-server, I get the following output:

npm audit
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/pdehaan/.npm/_logs/2022-05-31T17_31_03_039Z-debug.log

Similarly, yarn audit gives the same error, but a bit more verbose:

yarn audit
node:internal/fs/utils:344
    throw err;
    ^

Error: EAGAIN: resource temporarily unavailable, read
    at Object.readSync (node:fs:723:3)
    at tryReadSync (node:fs:433:20)
    at Object.readFileSync (node:fs:479:19)
    at Object.<anonymous> (/Volumes/Dev/github/mozilla/fxa/node_modules/audit-filter/cli.js:36:16)
    at Module._compile (node:internal/modules/cjs/loader:1101:14)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
    at Module.load (node:internal/modules/cjs/loader:981:32)
    at Function.Module._load (node:internal/modules/cjs/loader:822:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:17:47 {
  errno: -35,
  syscall: 'read',
  code: 'EAGAIN'
}
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
{
  "error": {
    "code": "ENOLOCK",
    "summary": "This command requires an existing lockfile.",
    "detail": "Try creating one first with: npm i --package-lock-only\nOriginal error: loadVirtual requires existing shrinkwrap file"
  }
}

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/pdehaan/.npm/_logs/2022-05-31T17_30_57_634Z-debug.log
cknowles-admin commented 2 years ago

FxA is no longer synchronizing all issues between Jira and Github. We are closing open issues and will selectively synchronize in the future.