chore(deps): Get audit-filter working for all packages in monorepo

* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also fix today's handlebars vulnerability, so that builds don't fail. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? As a workaround, I've added exceptions where npm wasn't able to fixup vulnerabilities. Fixes #2229.
mozilla · Nov 14, 2019 · 8fe9554 · 8fe9554
1 parent e098929
commit 8fe9554
Show file tree

Hide file tree

Showing 21 changed files with 2,165 additions and 107 deletions.
diff --git a/package.json b/package.json
@@ -6,6 +6,7 @@
     "authors": "git shortlog -s | cut -c8- | sort -f > AUTHORS",
     "postinstall": "_scripts/install_all.sh",
     "npm-ci-all": "lerna exec --parallel -- npm ci",
+    "lint:deps": "lerna exec --parallel -- npm run lint:deps",
     "start": "pm2 start mysql_servers.json && echo \"Use 'npm stop' to stop all the servers\"",
     "stop": "pm2 kill",
     "start-firefox": "./packages/fxa-dev-launcher/bin/fxa-dev-launcher",

diff --git a/packages/fxa-amplitude-send/.nsprc b/packages/fxa-amplitude-send/.nsprc
@@ -0,0 +1,8 @@
+{
+  "comment_535": "535 is a moderate severity RegExp denial of service vulnerability in mime, a dependency of s3.",
+  "comment_1118": "1118 is a critical severity arbitrary code execution in eslint-utils",
+  "exceptions": [
+    "https://npmjs.com/advisories/535",
+    "https://npmjs.com/advisories/1118"
+  ]
+}