11.0.0: Security Improvements & Dependency Shrinkwrap #228
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Context:
https://auth0team.atlassian.net/browse/EX-957
https://auth0team.atlassian.net/browse/EX-664
CLI uses caret version ranges for its dependencies. In the event a breaking change is made to one of those dependencies, user could be affected. For example, recent changes made to the
webtask-bundle
package caused users with fresh installs of the CLI to fail when bundling.Also, the CLI should not give any warnings about security issues or deprecated NPM modules when installing.
Summary:
All dependencies have been "shrink-wrapped". Going forward any changes to the CLI's dependencies will require an explicit update. Any such update should include prompt testing of any affected features.
The node engine constraint was updated from
>=4.2.0
to>=8.9.0
prompting a new major version.Old, unused and otherwise broken tests have been removed.
open
opn
boom
hoek
boom.wrap
toboom.boomify
andboom.create
tonew Boom
minimatch
wt-runtime
dependency onbabel
socks
superagent-proxy
,proxy-agent
, andwebtask-log-stream
superagent
socks
webtask-bundle
formatio
sinon
coffeescript
pad
packageFrom current NPM install output:
Testing:
All code changes have been tested against the wt-cli test suite. For simplicity, only the Security V1 suite was used. No regression in actual functionality was detected although the test coverage does leave much to be desired. A thorough manual QA process is still recommended and expected, assuming this PR passes review.