Closed pdehaan closed 2 years ago
UPDATE: Filed separately as https://github.com/mozilla/fxa/issues/13476 since I noticed this again while auditing some recent package.json PRs.
I tried yarn workspaces foreach --verbose run audit and it seems to throw a bunch of errors, so not sure if it expects a package-lock.json file in each package.
git grep -n "audit" packages/*/package.json | grep -v '"audit-filter"'
packages/123done/package.json:42: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/browserid-verifier/package.json:47: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fortress/package.json:41: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-admin-server/package.json:9: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-auth-server/package.json:14: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-content-server/package.json:8: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-customs-server/package.json:20: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-event-broker/package.json:6: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-geodb/package.json:11: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-graphql-api/package.json:9: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-payments-server/package.json:10: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-profile-server/package.json:8: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-shared/package.json:21: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
packages/fxa-support-panel/package.json:12: "audit": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-",
For example, if I run npm audit from packages/fxa-content-server, I get the following output:
npm audit
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/pdehaan/.npm/_logs/2022-05-31T17_31_03_039Z-debug.log
Similarly, yarn audit gives the same error, but a bit more verbose:
yarn audit
node:internal/fs/utils:344
throw err;
^
Error: EAGAIN: resource temporarily unavailable, read
at Object.readSync (node:fs:723:3)
at tryReadSync (node:fs:433:20)
at Object.readFileSync (node:fs:479:19)
at Object.<anonymous> (/Volumes/Dev/github/mozilla/fxa/node_modules/audit-filter/cli.js:36:16)
at Module._compile (node:internal/modules/cjs/loader:1101:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1153:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:17:47 {
errno: -35,
syscall: 'read',
code: 'EAGAIN'
}
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
{
"error": {
"code": "ENOLOCK",
"summary": "This command requires an existing lockfile.",
"detail": "Try creating one first with: npm i --package-lock-only\nOriginal error: loadVirtual requires existing shrinkwrap file"
}
}
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/pdehaan/.npm/_logs/2022-05-31T17_30_57_634Z-debug.log
FxA is no longer synchronizing all issues between Jira and Github. We are closing open issues and will selectively synchronize in the future.
Description
Was reading https://alexkondov.com/tao-of-node/#use-snyk this morning and it might be useful to set up for FxA pipeline. Although I'm not sure how it works w/ monorepos.
Was also taking a look at https://yarnpkg.com/cli/npm/audit#examples the other day and wondering if we should use it, or if we already are using
npm audit
w/audit-filter
and that gives similar results.We could also add the
--json
flag if we want to add more filtering or ignore certain dependencies, similar to what we did w/ audit-filter.┆Issue is synchronized with this Jira Task