Comments (7)
I still am thinking a PR would be easier for the users, but it introduces an issue of us needing to keep the dependency up to date on a branch of the template repository. Not sure how to work with that yet.
from security.
I think we may have a possible fix:
- We create a branch
- somehow we capture the feedback from when a security vulnerability alert is created (? when is this though?)
- we look for something like this
- We use the field
alert.fixed_in
to fill in and commit the actual place we want to fix it in thepackage-lock.json
file on the right line. - We open a PR like normal.
@ppremk @hectorsector What do you think?
Edit: It still doesn't really show best practices, but I think it's the simplest workaround.
Alternative:
Could we have LL actually update the package.json
, and then somehow run npm install
in another environment to update the package-lock.json
properly?
from security.
@brianamarie and @hectorsector is this issue also directly linked to the #6 issue?
If yes I've update the issue in there that might influence the direction we are heading.
from security.
@ppremk I don't think so, whether we have this as a fully functional node app or not, we will still run into this issue. Or, maybe am I misunderstanding what you're asking?
from security.
We use the field
alert.fixed_in
to fill in and commit the actual place we want to fix it in thepackage-lock.json
file on the right line.
The only thing I'm unsure about is committing the actual changes. With Learning Lab, we can only really do this via API calls and would probably require a new action. But that's OK, it's part of what we're supposed to be doing when building these courses. The options, as I see them (but want some input from @JasonEtco:
- leverage the
createFile
action, using thedata
property. - use
octokit
to use the Git API endpoints
from security.
@ppremk I don't think so, whether we have this as a fully functional node app or not, we will still run into this issue. Or, maybe am I misunderstanding what you're asking?
its clarified with your comments in the #6 issue :) thanks @brianamarie
from security.
So I think this maybe doesn't have to be so complicated.
If we don't include a package-lock.json
file, only a package.json
file, then we will still get the vulnerability alerts, and we can ask the user to update that file direction. No package-lock.json
necessary.
I think we can actually stick close to our original flow, but we will need to add a step where the bot validates that the package has been changed to the most up-to-date version, which it should be able to get from an earlier event.
I've added this all to the config as pseudocode, so I think we can move on. Thank you @hectorsector and @ppremk!
from security.
Related Issues (20)
- V2: Validate the version with what's up to date
- Edit description of step
- Logic for first issue didn't work HOT 3
- Repo URLS don't work
- Something funky happened when I merged pr #2 HOT 1
- Wording: Activity: Restrict this app
- Needs tags in config
- Getting error even though course is created HOT 2
- Broken link paths HOT 1
- Broken link to next pull request HOT 2
- Add 'Step' in h2 before each activity
- Suggestions from review HOT 1
- Mention yellow bar
- V2: Wait for user to update security settings instead of pages
- Evergreen listing of languages covered by security checks?
- Security Alerts & GHES HOT 1
- Dependency "eslint" needs updated HOT 1
- Blocking bug: Yellow bar inconsistently appearing HOT 1
- "Data services" not found — found "Security & Analysis" instead HOT 1
- Remove periods at end of "I've opened another"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security.