Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Remove snyk badge and add dependencies badge
Snyk notoriously reports on the ms package used by socket.io, which actually is no vulnerability, and the author rejected snyk's fix. It looks bad on the README, so removing snyk until they fix their attitude.
- Loading branch information
71a3331
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @dashersw! I'd love to fix this if this is an issue.
What vuln was being reported? The only one I'm currently seeing is https://snyk.io/vuln/npm:ms:20170412 which was merged into the
ms
library (vercel/ms#91) as of version 2.0.0. Did I miss one?71a3331
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is an issue; with the
ms
library, yes. The pull request you linked still looks open; and socket.io is depending on it so it's actually out of my control. I added snyk as a dependency and the patch it would do after annpm install
; but that comes in with 130 external dependencies and I can't afford it.71a3331
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My bad. Wrong PR. Coffee hasn't kicked in. :) vercel/ms#89
The other one is still open, and was someone else's additional fix/change.
Ewww. Completely understand the desire to avoid the patch.
You can tell Snyk to ignore the vuln for awhile, until Socket updates their version of
ms
. If you runsnyk ignore --id=npm:ms:20170412
from the CLI (docs here: https://snyk.io/docs/using-snyk/#ignore) which will tell Snyk to ignore the vulnerability and give you your green badge back and stop bothering you afternpm install
.For full clarification, if someone else were to use
cote
as a dependency and test using Snyk, they'd still see thems
vulnerability—it's on them to decide what to do with it.71a3331
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing, thank you! Can it also ignore it on npm versions of this library?
71a3331
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works for that too. When we test either the GH repo or npm package for vulns, we look for the
.snyk
policy file as well. So if you ignore the vuln and the latest published npm package contains a.snyk
file saying so, you get the green badge.