-
Notifications
You must be signed in to change notification settings - Fork 46
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keep Python and JS requirements up to date / off insecure versions #500
Comments
I'm ok with both of these tools. In the absence of an automated, regular way to run nsp, I think running in CI is a good first step while we explore other options. We make commits to this repo pretty often: in the last year our longest gap was 6 days (around Christmas). In the past month out longest gap has been 2 days. |
Some QA projects are already using requires.io <http://requires.io/>, so I recommend that on the Python side.
|
Requires.io is configured for the team/project, and NSP landed in prod, although it's having some issues: #520 I think we can call this closed. |
#286 recommends we use an automated tool of some kind to monitor our dependencies and either keep them up to date, or at least alert us when they're out of date or have a security vulnerability.
After looking at their suggested tools, I think our best bet is:
Beyond alternatives to the above plan, the main open question is how to run
nsp
. Running it in CI won't ensure we get notified when a vulnerability is found until we make a PR or commit, but we don't have any regular jobs that just run and monitor the code.@mozilla/normandy Thoughts?
The text was updated successfully, but these errors were encountered: