Keep Python and JS requirements up to date / off insecure versions #500
Assignees
Comments
|
I'm ok with both of these tools. In the absence of an automated, regular way to run nsp, I think running in CI is a good first step while we explore other options. We make commits to this repo pretty often: in the last year our longest gap was 6 days (around Christmas). In the past month out longest gap has been 2 days. |
|
Some QA projects are already using requires.io <http://requires.io/>, so I recommend that on the Python side.
|
Osmose
pushed a commit
to Osmose/normandy
that referenced
this issue
Feb 15, 2017
|
Requires.io is configured for the team/project, and NSP landed in prod, although it's having some issues: #520 I think we can call this closed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
#286 recommends we use an automated tool of some kind to monitor our dependencies and either keep them up to date, or at least alert us when they're out of date or have a security vulnerability.
After looking at their suggested tools, I think our best bet is:
Beyond alternatives to the above plan, the main open question is how to run
nsp. Running it in CI won't ensure we get notified when a vulnerability is found until we make a PR or commit, but we don't have any regular jobs that just run and monitor the code.@mozilla/normandy Thoughts?
The text was updated successfully, but these errors were encountered: