Closed dberesford closed 5 years ago
Lockfiles were intentionally disabled as you can see here: https://github.com/nearform/udaru/pull/499#discussion_r176905785
Although they are never added to a commit, we can generate them using npm i --package-lock-only
and then run npm audit
.
As of today, for all 4 packages, this results in: 43 vulnerabilities (6 low, 22 moderate, 15 high)
Almost all of them introduced through npx
.
The npx
package is mainly used to just run internal scripts from package.json
. But since it runs packages that are already in the dependencies, it would be better to run them directly.
Example:
In udaru-core => package.json => scripts
there is: "depcheck": "npx depcheck"
But we could just run depcheck
, because that package is already in devDependencies.
I suggest:
npx
package (only used in package.json
scripts) completely from all dependencies and replace it with direct calls. This would remove almost all vulnerability warnings.npm audit
for all the individual packagescc: @dberesford @mcollina
+1 to all the above.
As of today no vulnerabilities reported anymore.
Can check for all packages now with single comment: npm run test:audit
Let's take a look at https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure and hopefully incorporate into udaru CI.
We do need to add a lockfile to udaru-hapi-server first (which we should do anyway). Running this locally there appears to be a lot of warnings about npx and a few other modules, let's dig into these and see if we can get to a clean scan.