Make it easier to update dependency about security HOT 7 CLOSED

I still am thinking a PR would be easier for the users, but it introduces an issue of us needing to keep the dependency up to date on a branch of the template repository. Not sure how to work with that yet.

from security.

I think we may have a possible fix:

• We create a branch
• somehow we capture the feedback from when a security vulnerability alert is created (? when is this though?)
• we look for something like this
• We use the field alert.fixed_in to fill in and commit the actual place we want to fix it in the package-lock.json file on the right line.
• We open a PR like normal.

@ppremk @hectorsector What do you think?

Edit: It still doesn't really show best practices, but I think it's the simplest workaround.

Alternative:

Could we have LL actually update the package.json, and then somehow run npm install in another environment to update the package-lock.json properly?

from security.

@brianamarie and @hectorsector is this issue also directly linked to the #6 issue? 😄
If yes I've update the issue in there that might influence the direction we are heading.

from security.

@ppremk I don't think so, whether we have this as a fully functional node app or not, we will still run into this issue. Or, maybe am I misunderstanding what you're asking?

from security.

We use the field alert.fixed_in to fill in and commit the actual place we want to fix it in the package-lock.json file on the right line.

The only thing I'm unsure about is committing the actual changes. With Learning Lab, we can only really do this via API calls and would probably require a new action. But that's OK, it's part of what we're supposed to be doing when building these courses. The options, as I see them (but want some input from @JasonEtco:

• leverage the createFile action, using the data property.
• use octokit to use the Git API endpoints

from security.

@ppremk I don't think so, whether we have this as a fully functional node app or not, we will still run into this issue. Or, maybe am I misunderstanding what you're asking?

its clarified with your comments in the #6 issue :) thanks @brianamarie

from security.

So I think this maybe doesn't have to be so complicated.

If we don't include a package-lock.json file, only a package.json file, then we will still get the vulnerability alerts, and we can ask the user to update that file direction. No package-lock.json necessary.

I think we can actually stick close to our original flow, but we will need to add a step where the bot validates that the package has been changed to the most up-to-date version, which it should be able to get from an earlier event.

I've added this all to the config as pseudocode, so I think we can move on. Thank you @hectorsector and @ppremk!

from security.