-
Notifications
You must be signed in to change notification settings - Fork 46
Automatically fix vulnerabilities from npm dependencies #8
Comments
Hi @gsilvapt! Your issue is a pertinent one and it's also our opinion that any dependency vulnerability should be detected and fixed as soon as possible. We also agree that without unit tests, any automatically fix could lead to breaks which we want to avoid. Meanwhile, we are fixing the 259 vulnerabilities #17. |
If you don't think auto-fix is feasible/safe, maybe dependabot would be a good strategy. I've used it for personal projects and had a good experience. |
I would not recommend you to update any dependency without a deep inspection. Due to the nature of this project the risk of being targeted is very high and it is quite easy to inject malicious code through not so well maintained projects. (opened a ticket about this a few days ago: #84, got closed after 1 dependency fix, there are thousands in the tree that are auto updating) In a private project I would trust the dependabot without issues. Opening a FE project to the public just for the sake of showing is ridiculous: this project gives all the information a malicious user could ever want plus you can't even prove this source is the one being deployed and distributed. |
@bertolo1988 one of the reasons I suggested dependabot was because it is safer than doing auto-fix blindly. You obviously always review the PRs created by dependabot before merging. It just really makes the process easier. |
Your CI/CD pipeline should contain a step to automatically audit and fix these vulnerabilities. High and critical ones will likely require manual input and it should stop there. Low ones like the current 248 (analysed today, Thursday the 30th) would automatically be fixed.
However, fixing can break sruff, unless your code is properly tested. This issue requires solving #7 first.
The text was updated successfully, but these errors were encountered: