New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[wip] yarn 1.16, safety, audit in CI 🧶🧷🚨 #6336
Conversation
Thanks for making a pull request to JupyterLab! To try out this branch on binder, follow this link: |
So it found one
Hooray data! However, it didn't make it to the dev Perhaps the right place to put these in CI in an In the initial case of using it for CI, it should be able to emit (Paranoid) end users would be able to make use of it, and heck, Building it "right" would also mean it would work with custom Thoughts? |
So i have yet to get a real bead on why the root doesn't work. It might be a number of things: |
@bollwyvl - do you want to take this up for jlab 2.0? We'd like to minimally upgrade yarn, but if some more of this work can get in, that would be great too. |
Closing as stale |
References
Code changes
staging
anddevDependency
yarn
to1.16.0
yarn audit
audit
CI step to invokeyarn audit
andsafety check
User-facing changes
Backwards-incompatible changes
Alternatives
While upgrading yarn seems like a fine idea, and
audit
could allow us to help users understand potential ramifications of installing extensions, we could alternatively go with...audit-ci
IBM/audit-ci is much more configurable than the built-in
yarn audit
. For example, for Reasons, let's say we can't upgrademarked
right now, which generates a couple hundredmoderate
warnings.audit-ci
would let us ignore the specific, numbered advisories related to regex explosion by adding a line to its config file. This would give us an "out" when a vulnerability shows up, as the chances of a well-sorted JSON file leading to merge conflicts from multiple PRs is far less impactful than a bunch ofpackage.json
andyarn.lock
changes.snyk.io, pyup.io
Instead of rolling our own, go with bot-based services. Both offer free accounts for open source projects. As I mentioned on #6331,
yarn audit
depends on the largesse ofnpm
, but is a POST request of basically our wholeyarn.lock
, which seems to503
fairly frequently (at least in the last 24 ours). By having the bots call us, we'll likely get a better workflow, and burn less CI coal.🛎️ @jasongrout