deps: Update audit-ci implementation #1045
Conversation
- Install latest audit-ci devDependency - Use yarn dlx instead of installed version in CI - Use .audit-ci.jsonc for better advisory management - Remove unused yarn install during the pipeline - Updates settings.json in VSCode to hide .audit-ci.jsonc - Removes unused advisory 1005059
quinnturner
requested review from
crypto-matto,
leejw51crypto and
calvinaco
as code owners
|
This pull request introduces 27 alerts when merging 6960446 into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging 4f8fc44 into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging f84e60d into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging 42df653 into cc73b5c - view on LGTM.com new alerts:
|
| /.yarn/* | ||
| !/.yarn/releases |
There was a problem hiding this comment.
| /.yarn/* | |
| !/.yarn/releases | |
| .yarn/* | |
| # Uncomment !.yarn/cache/ if you want Zero-Installs | |
| # !.yarn/cache | |
| !.yarn/patches | |
| !.yarn/plugins | |
| !.yarn/releases | |
| !.yarn/sdks | |
| !.yarn/versions |
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Upgrade to Yarn 3.0 | ||
| run: | | ||
| yarn set version 3.0 |
There was a problem hiding this comment.
I don't recommend doing this. You should add the Yarn release to git based on the gitignore I suggested in this review. Yarn with automatically pick it up.
|
|
||
| - name: Remove any cached files | ||
| run: | | ||
| rm -Rf ./node_modules && rm -Rf ./.yarn/cache && rm -Rf ./.yarn/unplugged |
There was a problem hiding this comment.
I don't think this should be necessary.
| run: | | ||
| yarn run-audit | ||
| yarn dlx audit-ci@^6 --config .audit-ci.jsonc |
There was a problem hiding this comment.
You can also just use npx if you want. It doesn't matter which dependency manager's task runner you use, audit-ci will look at lock files. I usually use npx regardless of the dependency manager tbh since it seems quicker.
| @@ -22,11 +22,11 @@ jobs: | |||
|
|
|||
| - name: Install deps with big timeout | |||
| run: | | |||
| yarn install --network-timeout 600000 | |||
| yarn config set httpTimeout 600000 && yarn install | |||
There was a problem hiding this comment.
I usually use this for Yarn Berry pipeline installations for caching purposes:
- name: Prepare for install
run: |
echo -e "logFilters:\n - code: YN0013\n level: discard\n" > ~/.yarnrc.yml
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: |
echo "::set-output name=dir::$(yarn config get cacheFolder)"
echo -e "Yarn cache directory: $(yarn config get cacheFolder)"
- name: Cache Yarn
uses: actions/cache@v3
id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: yarn-cache-folder-${{ hashFiles('yarn.lock', '.yarnrc.yml') }}
restore-keys: |
yarn-cache-folder-
- name: Install dependencies
run: yarn install --immutable
| "postcss": "7.0.36", | ||
| "web3": "1.6.0" | ||
| }, | ||
| "packageManager": "[email protected]" |
There was a problem hiding this comment.
I'd recommend going with [email protected]
I am the author of
audit-ci. I noticed this project was using it, and I wanted to help out!audit-cidevDependencyyarn dlxinstead of installed version in CI.audit-ci.jsoncfor better advisory managementyarn installduring the pipelinesettings.jsonin VSCode to hide.audit-ci.jsonc1005059I do have a separate approach for you to consider: run
audit-ciimmediately after runningactions/setup-nodeand before theyarn installwithyarn dlxin the release workflow. That way, if there's a compromised dependency that runs apostinstallin the release, you will catch it before it installs.👮🏻👮🏻👮🏻 !!!! REFERENCE THE PROBLEM YOUR ARE SOLVING IN THE PR TITLE AND DESCRIBE YOUR SOLUTION HERE !!!! DO NOT FORGET !!!! 👮🏻👮🏻👮🏻
PR Checklist:
yarn build)yarn test)yarn lint:js)yarn audit)Thank you for your code, it's appreciated! :)