deps: Update audit-ci implementation #1045
Conversation
- Install latest audit-ci devDependency - Use yarn dlx instead of installed version in CI - Use .audit-ci.jsonc for better advisory management - Remove unused yarn install during the pipeline - Updates settings.json in VSCode to hide .audit-ci.jsonc - Removes unused advisory 1005059
quinnturner
requested review from
crypto-matto,
leejw51crypto and
calvinaco
as code owners
|
This pull request introduces 27 alerts when merging 6960446 into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging 4f8fc44 into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging f84e60d into cc73b5c - view on LGTM.com new alerts:
|
|
This pull request introduces 27 alerts when merging 42df653 into cc73b5c - view on LGTM.com new alerts:
|
| /.yarn/* | ||
| !/.yarn/releases |
There was a problem hiding this comment.
| /.yarn/* | |
| !/.yarn/releases | |
| .yarn/* | |
| # Uncomment !.yarn/cache/ if you want Zero-Installs | |
| # !.yarn/cache | |
| !.yarn/patches | |
| !.yarn/plugins | |
| !.yarn/releases | |
| !.yarn/sdks | |
| !.yarn/versions |
| with: | ||
| node-version: 14 | ||
|
|
||
| - name: Upgrade to Yarn 3.0 | ||
| run: | | ||
| yarn set version 3.0 |
There was a problem hiding this comment.
I don't recommend doing this. You should add the Yarn release to git based on the gitignore I suggested in this review. Yarn with automatically pick it up.
|
|
||
| - name: Remove any cached files | ||
| run: | | ||
| rm -Rf ./node_modules && rm -Rf ./.yarn/cache && rm -Rf ./.yarn/unplugged |
There was a problem hiding this comment.
I don't think this should be necessary.
| run: | | ||
| yarn run-audit | ||
| yarn dlx audit-ci@^6 --config .audit-ci.jsonc |
There was a problem hiding this comment.
You can also just use npx if you want. It doesn't matter which dependency manager's task runner you use, audit-ci will look at lock files. I usually use npx regardless of the dependency manager tbh since it seems quicker.
| @@ -22,11 +22,11 @@ jobs: | |||
|
|
|||
| - name: Install deps with big timeout | |||
| run: | | |||
| yarn install --network-timeout 600000 | |||
| yarn config set httpTimeout 600000 && yarn install | |||
There was a problem hiding this comment.
I usually use this for Yarn Berry pipeline installations for caching purposes:
- name: Prepare for install
run: |
echo -e "logFilters:\n - code: YN0013\n level: discard\n" > ~/.yarnrc.yml
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: |
echo "::set-output name=dir::$(yarn config get cacheFolder)"
echo -e "Yarn cache directory: $(yarn config get cacheFolder)"
- name: Cache Yarn
uses: actions/cache@v3
id: yarn-cache # use this to check for `cache-hit` (`steps.yarn-cache.outputs.cache-hit != 'true'`)
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: yarn-cache-folder-${{ hashFiles('yarn.lock', '.yarnrc.yml') }}
restore-keys: |
yarn-cache-folder-
- name: Install dependencies
run: yarn install --immutable
| "postcss": "7.0.36", | ||
| "web3": "1.6.0" | ||
| }, | ||
| "packageManager": "yarn@3.0.2" |
There was a problem hiding this comment.
I'd recommend going with yarn@3.2.0
I am the author of
audit-ci. I noticed this project was using it, and I wanted to help out!audit-cidevDependencyyarn dlxinstead of installed version in CI.audit-ci.jsoncfor better advisory managementyarn installduring the pipelinesettings.jsonin VSCode to hide.audit-ci.jsonc1005059I do have a separate approach for you to consider: run
audit-ciimmediately after runningactions/setup-nodeand before theyarn installwithyarn dlxin the release workflow. That way, if there's a compromised dependency that runs apostinstallin the release, you will catch it before it installs.馃懏馃徎馃懏馃徎馃懏馃徎 !!!! REFERENCE THE PROBLEM YOUR ARE SOLVING IN THE PR TITLE AND DESCRIBE YOUR SOLUTION HERE !!!! DO NOT FORGET !!!! 馃懏馃徎馃懏馃徎馃懏馃徎
PR Checklist:
yarn build)yarn test)yarn lint:js)yarn audit)Thank you for your code, it's appreciated! :)