Metadata
- Source
- C2LC-553
- Type
- Task
- Priority
- N/A
- Status
- Won't Fix
- Resolution
- N/A
- Assignee
- Daniel Cho
- Reporter
- Tony Atkins [RtF]
- Created
2021-11-30T03:31:17.016-0500 - Updated
2024-06-03T10:41:42.626-0400 - Versions
- N/A
- Fixed Versions
- N/A
- Component
-
- Coding Environment
Description
Currently, npm audit lists a number of security vulnerabilities related to the build tools that are part of react-create-scripts. We currently run npm audit in CI but allow the check to fail with a warning.
The output of this process doesn't appear in the summary on the PR, so keeping on top of this either requires us to drill into the report periodically or run it manually (or to wade through the similar reports provided by GitHub).
As an improvement over this, we have been discussing trying npm-audit-resolver, which would:
- Let us manage which vulnerabilities we chose to accept as safe (or that we choose to defer addressing temporarily).
- Give us a CI command that would fail only on newly discovered vulnerabilities.
It provides good options for ignoring particular issues, for identifying who ignored which issues, for managing the process using pull requests and reviews, and also includes the option to temporarily ignore an issue, so that it eventually is highlighted again. Although this is a third-party tool, there is an RFC to add its functionality to npm audit itself.
If we decide to proceed, this ticket covers adding the new audit check to CI (I have proposed using it via npx). It also covers creating the initial audit-resolve.json file to exclude the vulnerabilities in our build chain that never appear in production and are thus not of as great concern.