Write an nsp verifyConditions plugin #67

Closed
boennemann opened this Issue Aug 23, 2015 · 6 comments

Comments

Projects
None yet
3 participants
@boennemann
Member

boennemann commented Aug 23, 2015

The nodesecurity project offers the nsp module, which allows you to audit a package.json and find security vulnerabilities.

I'd love to see a semantic-release verifyConditions plugin (just like condition-travis) that aborts any release where there are security vulnerabilities in the dependencies, but I might not immediately have the time to do it myself.

If you want to give this a shot let me know in this issue and I'm happy to help wherever I can. You can reach me in the semantic-release gitter room, or on Twitter.

@accraze

This comment has been minimized.

Show comment
Hide comment
@accraze

accraze Oct 2, 2015

Hi, I'm interested in giving this a shot...

accraze commented Oct 2, 2015

Hi, I'm interested in giving this a shot...

@boennemann

This comment has been minimized.

Show comment
Hide comment
@boennemann

boennemann Oct 7, 2015

Member

Hey @accraze,

sorry this slipped through my notifications. Do you need any guidance? I'm happy to help you to get this going :)

Best,
Stephan

Member

boennemann commented Oct 7, 2015

Hey @accraze,

sorry this slipped through my notifications. Do you need any guidance? I'm happy to help you to get this going :)

Best,
Stephan

@accraze

This comment has been minimized.

Show comment
Hide comment
@accraze

accraze Oct 10, 2015

no worries @boennemann! can you make a repo for it?

accraze commented Oct 10, 2015

no worries @boennemann! can you make a repo for it?

@boennemann

This comment has been minimized.

Show comment
Hide comment
@pvdlg

This comment has been minimized.

Show comment
Hide comment
@pvdlg

pvdlg Dec 15, 2017

Member

As mentioned in several comments in #68 running nsp is more appropriate in the test phase than in the release phase. If a dependency update is creating a security risk, the test should fails and semantic-release release shouldn't even be called. In addition the alert can be reported directly in the PR (as the build would fail due to the failed tests), before it get merged.

As anyone any objection regarding closing this issue?

Member

pvdlg commented Dec 15, 2017

As mentioned in several comments in #68 running nsp is more appropriate in the test phase than in the release phase. If a dependency update is creating a security risk, the test should fails and semantic-release release shouldn't even be called. In addition the alert can be reported directly in the PR (as the build would fail due to the failed tests), before it get merged.

As anyone any objection regarding closing this issue?

@pvdlg

This comment has been minimized.

Show comment
Hide comment
@pvdlg

pvdlg Dec 31, 2017

Member

Closing per previous comment. Please re-open if the previous comment is no accurate.

Member

pvdlg commented Dec 31, 2017

Closing per previous comment. Please re-open if the previous comment is no accurate.

@pvdlg pvdlg closed this Dec 31, 2017

@pvdlg pvdlg removed the info requested label Dec 31, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment