Add cargo audit and npm audit to CI (#2034)

* Add `cargo audit` and `npm audit` to CI This runs: - On PRs that modify Cargo.toml or Cargo.lock - weekly and opens issues if either cargo or npm report an error. This does have false positives occasionally, especially for dev-dependencies, but catching vulnerabilities seems worth it. I've used the cargo-audit action before and can vouch for it. I glanced over the code in https://github.com/oke-py/npm-audit-action and it looks reasonable - not super well maintained, but not actively malicious, and we can turn it off, make PRs, or fork it later if it's really a problem. * Update vulnerable rust dependencies - Switch from `ws` to `parity-ws` `ws` is unmaintained and has security vulnerabilities. - Update tar to 0.4.37 This fixes a security vulnerability in version before 0.4.36. Co-authored-by: Cass <cass@cloudflare.com>
cloudflare · Aug 27, 2021 · c8a073a · c8a073a
1 parent 6fbc66b
commit c8a073a
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 22 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -0,0 +1,34 @@
+name: Audit
+
+on:
+  push:
+  pull_request:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - "**/package-lock.json"
+      - "**/npm-shrinkwrap.json"
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: cargo audit
+        uses: actions-rs/audit-check@v1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: npm audit
+        uses: oke-py/npm-audit-action@v1.7.3
+        with:
+          dedupe_issues: true
+          working_directory: npm
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: changelog-generator audit
+        uses: oke-py/npm-audit-action@v1.7.3
+        with:
+          dedupe_issues: true
+          working_directory: changelog-generator
+          github_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -72,7 +72,7 @@ twox-hash = "1.6.0"
 url = "2.2.0"
 uuid = { version = "0.8", features = ["v4"] }
 which = "4.0.2"
-ws = "0.9.1"
+ws = { version = "0.11", package = "parity-ws" }
 
 [dev-dependencies]
 assert_cmd = "2.0.0"