Security issues

[bingomanatee]

Bug or issue?

Please try to answer the following questions:

• What version of Neutrino are you using?
• Are you trying to use any presets? If so, which ones, and what versions?
• Are you using the Yarn client or the npm client? What version?
• What version of Node.js are you using?
• What operating system are you using?
• What did you do?
• What did you expect to happen?
• What actually happened, contrary to your expectations? In version 8.2.3, singificant security issues

run npm audit - there is a trail of security issues with neutrino.

Feature request or enhancement?

Please describe your request in detail. Use the following questions as guidance:

• What is the goal of the change?
• What are the pros and cons of the change?
• Could this dramatically improve the experience of our users?

[edmorley]

Hi!

I just did an npm install (which runs audit) of all 38 monorepo Neutrino 8.2.3 packages using npm v6.0.1, and it found zero vulnerabilities: https://gist.github.com/edmorley/add76158c0492ad6a6ee4b77d496d4cd

From reading the docs it appears that the NPM audit feature only inspects the contents of a local package-lock.json rather than actually checking the latest version of the packages available.

As such, I think your package-lock.json may just be out of date? Could you try removing it and regenerating it - and then trying again?

On a side note, it's slightly annoying that npm:

• only makes this feature available via the CLI (rather than having a david-dm style service), which means yarn users like myself have to install it just for this
• still doesn't support workspaces, so it's a massive pain to run on a monorepo
• don't also check the latest version of packages and make it clear to users whether the vulnerability is due to their stale package-lock.json or to the latest dependency chain itself

[eliperelman]

We could also turn on Snyk for Neutrino, but I have it on for other repos as well and it seems to generate a lot of false positives and can be noisy.

[edmorley]

I think since:

• we have Renovate enabled (and so virtually all of our dependencies are up to date)
• the impact of vulnerabilities is generally much lower for a project like this vs a server product

...that Snyk etc probably wouldn't add much value.

They also don't seem to support monorepos: https://snyk.io/test/github/mozilla-neutrino/neutrino-dev?tab=dependencies&vulns=all

[eliperelman]

Yeah you're probably right, alerts will just generate noise, nothing highly actionable.

[edmorley]

@bingomanatee did you see this? :-)

As such, I think your package-lock.json may just be out of date? Could you try removing it and regenerating it - and then trying again?

[edmorley]

Closing this out since the npm audit of Neutrino 8 showed zero issues, so this was likely due to a stale package-lock.json in your project. Deleting the lockfile and re-generating it should resolve the warnings you saw.

I'd strongly recommend using something like Renovate to automate keeping both your dependencies and lockfile up to date.