Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(build) Add yarn npm audit workflow #397

Merged
merged 1 commit into from
May 6, 2024
Merged

(build) Add yarn npm audit workflow #397

merged 1 commit into from
May 6, 2024

Conversation

st3phhays
Copy link
Member

@st3phhays st3phhays commented Apr 15, 2024
edited
Loading

Description Of Changes

This adds a workflow to run yarn npm audit on
every pull request to ensure we do not introduce
security vulnerabilities.

Motivation and Context

This is another step to ensure we do not release security vuilnerabilities.

Testing

See this failed workflow: https://github.com/chocolatey/choco-theme/actions/runs/8898008295/job/24434208562?pr=397

A package was purposefully downgraded to show how it would report vulnerabilities.

Operating Systems Testing

n/a

Change Types Made

  • Bug fix (non-breaking change).
  • Feature / Enhancement (non-breaking change).
  • Breaking change (fix or feature that could cause existing functionality to change).
  • Documentation changes.
  • PowerShell code changes.

Change Checklist

  • Requires a change to the documentation.
  • Documentation has been updated.
  • Tests to cover my changes, have been added.
  • All new and existing tests passed?
  • PowerShell code changes: PowerShell v2 compatibility checked?

Related Issue

TBD

@st3phhays st3phhays self-assigned this Apr 15, 2024
@st3phhays st3phhays marked this pull request as draft April 15, 2024 16:15
@st3phhays
Copy link
Member Author

This is in draft because I want to figure out what happens in this workflow if warnings are found. I want it to report them, and fail this action.

@st3phhays st3phhays force-pushed the yarn-npm-audit branch 4 times, most recently from 99449cc to 6f9afcf Compare April 30, 2024 16:04
@st3phhays
Copy link
Member Author

See this run for an example of how it would report if there are vulnerabilities. It will fail if there are moderate or severe vulnerabilities.

https://github.com/chocolatey/choco-theme/actions/runs/8898008295/job/24434208562?pr=397

@st3phhays st3phhays marked this pull request as ready for review April 30, 2024 16:08
@st3phhays st3phhays requested a review from corbob April 30, 2024 16:08
@st3phhays st3phhays mentioned this pull request Apr 30, 2024
Merged
10 tasks
@st3phhays
(build) Add yarn npm audit workflows
fb32458 
This adds a workflow to run `yarn npm audit` on
every pull request to ensure we do not introduce
security vulnerabilities.
@corbob corbob merged commit b4f1d08 into chocolatey:main May 6, 2024
3 checks passed
@corbob
Copy link
Member

corbob commented May 6, 2024

Thanks for getting this added @st3phhays 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corbob corbob corbob approved these changes

Assignees

@st3phhays st3phhays

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@st3phhays @corbob