Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

11.0.0: Security Improvements & Dependency Shrinkwrap #228

Merged
merged 3 commits into from
Sep 20, 2018
Merged

11.0.0: Security Improvements & Dependency Shrinkwrap #228

merged 3 commits into from
Sep 20, 2018

Conversation

SkyHacks
Copy link
Contributor

Context:

https://auth0team.atlassian.net/browse/EX-957
https://auth0team.atlassian.net/browse/EX-664

CLI uses caret version ranges for its dependencies. In the event a breaking change is made to one of those dependencies, user could be affected. For example, recent changes made to the webtask-bundle package caused users with fresh installs of the CLI to fail when bundling.

Also, the CLI should not give any warnings about security issues or deprecated NPM modules when installing.

Summary:

All dependencies have been "shrink-wrapped". Going forward any changes to the CLI's dependencies will require an explicit update. Any such update should include prompt testing of any affected features.

The node engine constraint was updated from >=4.2.0 to >=8.9.0 prompting a new major version.

Old, unused and otherwise broken tests have been removed.

Module Issue Action
open Command injection Replaced with functionally equivalent package opn
boom MAID through hoek Updated version and node engine constraint. Updated boom.wrap to boom.boomify and boom.create to new Boom
minimatch RegExp DoS Updated wt-runtime dependency on babel
socks "serious bug with socket data flow and an import issue" Submitted PRs to superagent-proxy, proxy-agent, and webtask-log-stream
superagent Related to socks Submited a PR to webtask-bundle
formatio Unmaintained Removed along with sinon
coffeescript Renamed Updated pad package

From current NPM install output:

added 868 packages from 440 contributors and audited 8299 packages in 22.55s
found 0 vulnerabilities

Testing:

All code changes have been tested against the wt-cli test suite. For simplicity, only the Security V1 suite was used. No regression in actual functionality was detected although the test coverage does leave much to be desired. A thorough manual QA process is still recommended and expected, assuming this PR passes review.

@SkyHacks SkyHacks changed the title Clean deps 11.0.0: Security Improvements & Dependency Shrinkwrap Sep 19, 2018
@SkyHacks
Copy link
Contributor Author

Some additional context on the decision to remove the test files:

  • ./test/bin/mv.test.js was removed because it is testing a file that no longer exists.
  • ./test/stubs.js was only being used in mv.test.js so it is safe to remove as well.
  • ./test/tokens.js appears unmaintained. It was created 3 years ago and has only had one word changed since (that was 2 years ago). It is not referenced in the test suite. If it is run, master branch does not pass.

@rwtombaugh rwtombaugh merged commit ce2668d into master Sep 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@SkyHacks @rwtombaugh