You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What are you trying to do?
We occasionally add whitelist entries for vulnerabilities which don't have a current solution, but are likely to be resolved by package maintainers at some point in the future. The risk in adding a whitelist entry is we will undoubtedly forget to come back and fix the issue / upgrade packages once the vulnerability has been resolved.
What feature or behavior is this required for?
Often CI/CD pipelines will run auditjs and prevent deployment if there are vulnerabilities. Sometimes a whitelist entry is required to ensure development can continue. However, we want to minimise our risk and force a whitelist review, instead of "set and forget".
How could we solve this issue? (Not knowing is okay!)
We could have a global option lastReviewDate to force a regular review of whitelist entries, however this doesn't seem granular enough. There may be vulnerabilities which we want to permanently ignore, and others that we know the expected fix date. Hence, adding an optional lastReviewDate field to whitelist entries.
Anything else?
I've implemented this and will create a PR for review.
Amusingly, the same prompt for us to create this PR is also affecting the auditjs build itself!
The node-fetch package has a vulnerability which is causing the build to fail. There's no fix in node-fetch yet. Rather than simply adding a whitelist entry and forgetting about it, it would be better to add the whitelist entry with a reviewDate which will force us to revisit this at a later date and see if the vulnerability has been resolved.
What are you trying to do?
We occasionally add whitelist entries for vulnerabilities which don't have a current solution, but are likely to be resolved by package maintainers at some point in the future. The risk in adding a whitelist entry is we will undoubtedly forget to come back and fix the issue / upgrade packages once the vulnerability has been resolved.
What feature or behavior is this required for?
Often CI/CD pipelines will run auditjs and prevent deployment if there are vulnerabilities. Sometimes a whitelist entry is required to ensure development can continue. However, we want to minimise our risk and force a whitelist review, instead of "set and forget".
How could we solve this issue? (Not knowing is okay!)
We could have a global option
lastReviewDate
to force a regular review of whitelist entries, however this doesn't seem granular enough. There may be vulnerabilities which we want to permanently ignore, and others that we know the expected fix date. Hence, adding an optionallastReviewDate
field to whitelist entries.Anything else?
I've implemented this and will create a PR for review.
cc @bhamail / @DarthHater / @allenhsieh / @ken-duck
The text was updated successfully, but these errors were encountered: