chore(deps): Get audit-filter working for all packages in monorepo #3372

jaredhirsch · 2019-11-14T23:57:12Z

Commit message / issue summary

Add a lint:deps job to the top-level package.json, so lerna can run
lint:deps in all packages in parallel.
Also fix today's handlebars vulnerability, so that builds don't fail.

Some of the vulnerabilities are in transitive dependencies, yet the
suggested npm update foo --depth N command sometimes seems to do
nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by
npm/cli#239, but perhaps that didn't fix all the
cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter
exceptions where npm update wasn't able to fix vulnerabilities.

Fixes #2229.

Testing this PR

Pretty simple, really:

run npm run lint:deps at top-level in the repo

There's quite a bit of terminal output; as long as it doesn't throw an error, we're good 👍

Click to view sample terminal output

]$ npm run lint:deps

> fxa@2.0.0 lint:deps /Users/jh/codez/github/mozilla-fxa
> lerna exec --parallel -- npm run lint:deps

lerna notice cli v3.16.4
lerna info versioning independent
lerna info Executing command in 17 packages: "npm run lint:deps"
123done: > 123done@0.0.2 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/123done
123done: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
browserid-verifier: > browserid-verifier@0.10.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/browserid-verifier
browserid-verifier: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-auth-db-mysql: > fxa-auth-db-mysql@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-auth-db-mysql
fxa-auth-db-mysql: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
firefox-fortress: > firefox-fortress@0.0.2 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fortress
firefox-fortress: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-customs-server: > fxa-customs-server@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-customs-server
fxa-customs-server: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-profile-server: > fxa-profile-server@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-profile-server
fxa-profile-server: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-auth-server: > fxa-auth-server@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-auth-server
fxa-auth-server: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-dev-launcher: > fxa-dev-launcher@1.0.0 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-dev-launcher
fxa-dev-launcher: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-event-broker: > fxa-event-broker@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-event-broker
fxa-event-broker: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-amplitude-send: > fxa-amplitude-send@1.1.0 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-amplitude-send
fxa-amplitude-send: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-content-server: > fxa-content-server@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-content-server
fxa-content-server: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-email-event-proxy: > fxa-email-event-proxy@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-email-event-proxy
fxa-email-event-proxy: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-js-client: > fxa-js-client@1.0.21 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-js-client
fxa-js-client: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-payments-server: > fxa-payments-server@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-payments-server
fxa-payments-server: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-geodb: > fxa-geodb@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-geodb
fxa-geodb: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-shared: > fxa-shared@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-shared
fxa-shared: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-support-panel: > fxa-support-panel@1.150.1 lint:deps /Users/jh/codez/github/mozilla-fxa/packages/fxa-support-panel
fxa-support-panel: > npm audit --json | audit-filter --nsp-config=.nsprc --audit=-
fxa-dev-launcher: No advisories found after filtering.
123done: No advisories found after filtering.
firefox-fortress: No advisories found after filtering.
fxa-amplitude-send: No advisories found after filtering.
browserid-verifier: No advisories found after filtering.
fxa-email-event-proxy: No advisories found after filtering.
fxa-shared: No advisories found after filtering.
fxa-auth-db-mysql: No advisories found after filtering.
fxa-geodb: No advisories found after filtering.
fxa-event-broker: No advisories found after filtering.
fxa-profile-server: No advisories found after filtering.
fxa-customs-server: No advisories found after filtering.
fxa-support-panel: No advisories found after filtering.
fxa-js-client: No advisories found after filtering.
fxa-auth-server: No advisories found after filtering.
fxa-content-server: No advisories found after filtering.
fxa-payments-server: No advisories found after filtering.
lerna success exec Executed command in 17 packages: "npm run lint:deps"

dannycoates

👍

jaredhirsch · 2019-11-15T00:35:13Z

I'm going to wait until the eslint PR lands before landing this one

* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.

dannycoates approved these changes Nov 15, 2019

View reviewed changes

jaredhirsch changed the title ~~chore(deps): Get audit-filter working for all packages in monorepo~~ [HOLD] chore(deps): Get audit-filter working for all packages in monorepo Nov 15, 2019

jaredhirsch changed the title ~~[HOLD] chore(deps): Get audit-filter working for all packages in monorepo~~ chore(deps): Get audit-filter working for all packages in monorepo Nov 15, 2019

jaredhirsch force-pushed the 2229-audit-filter branch 3 times, most recently from 3d8f7e1 to 0607093 Compare November 18, 2019 19:30

jaredhirsch force-pushed the 2229-audit-filter branch from 0607093 to 1b0141e Compare November 18, 2019 20:07

jaredhirsch merged commit 9e5e1a6 into master Nov 18, 2019

jaredhirsch deleted the 2229-audit-filter branch November 18, 2019 20:22

jaredhirsch mentioned this pull request Nov 18, 2019

address https://npmjs.com/advisories/1316 in support panel #3371

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): Get audit-filter working for all packages in monorepo #3372

chore(deps): Get audit-filter working for all packages in monorepo #3372

jaredhirsch commented Nov 14, 2019

dannycoates left a comment

jaredhirsch commented Nov 15, 2019

chore(deps): Get audit-filter working for all packages in monorepo #3372

chore(deps): Get audit-filter working for all packages in monorepo #3372

Conversation

jaredhirsch commented Nov 14, 2019

Commit message / issue summary

Testing this PR

dannycoates left a comment

Choose a reason for hiding this comment

jaredhirsch commented Nov 15, 2019