Skip to content

Commit

Permalink
Remove snyk badge and add dependencies badge
Browse files Browse the repository at this point in the history 
Snyk notoriously reports on the ms package used by socket.io, which
actually is no vulnerability, and the author rejected snyk's fix.
It looks bad on the README, so removing snyk until they fix their attitude.
  • Loading branch information
@dashersw
dashersw committed Jun 4, 2017
1 parent 27c3aff commit 71a3331
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion README.md
View file
@@ -1,10 +1,10 @@
cote — A Node.js library for building zero-configuration microservices
====

[![Known Vulnerabilities](https://snyk.io/test/npm/cote/badge.svg)](https://snyk.io/test/npm/cote)
[![npm version](https://badge.fury.io/js/cote.svg)](https://badge.fury.io/js/cote)
[![Build Status](https://travis-ci.org/dashersw/cote.svg?branch=master)](https://travis-ci.org/dashersw/cote)
[![Coverage Status](https://coveralls.io/repos/github/dashersw/cote/badge.svg)](https://coveralls.io/github/dashersw/cote)
[![dependencies Status](https://david-dm.org/dashersw/cote/status.svg)](https://david-dm.org/dashersw/cote)
[![GitHub license](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/dashersw/cote/master/LICENSE)

**cote lets you write zero-configuration microservices in Node.js without nginx,
Expand Down

5 comments on commit 71a3331

@tkadlec
Copy link

@tkadlec tkadlec commented on 71a3331 Jun 5, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @dashersw! I'd love to fix this if this is an issue.

What vuln was being reported? The only one I'm currently seeing is https://snyk.io/vuln/npm:ms:20170412 which was merged into the ms library (vercel/ms#91) as of version 2.0.0. Did I miss one?

@dashersw
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is an issue; with the ms library, yes. The pull request you linked still looks open; and socket.io is depending on it so it's actually out of my control. I added snyk as a dependency and the patch it would do after an npm install; but that comes in with 130 external dependencies and I can't afford it.

@tkadlec
Copy link

@tkadlec tkadlec commented on 71a3331 Jun 5, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My bad. Wrong PR. Coffee hasn't kicked in. :) vercel/ms#89

The other one is still open, and was someone else's additional fix/change.

but that comes in with 130 external dependencies and I can't afford it.

Ewww. Completely understand the desire to avoid the patch.

You can tell Snyk to ignore the vuln for awhile, until Socket updates their version of ms. If you run snyk ignore --id=npm:ms:20170412 from the CLI (docs here: https://snyk.io/docs/using-snyk/#ignore) which will tell Snyk to ignore the vulnerability and give you your green badge back and stop bothering you after npm install.

For full clarification, if someone else were to use cote as a dependency and test using Snyk, they'd still see the ms vulnerability—it's on them to decide what to do with it.

@dashersw
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing, thank you! Can it also ignore it on npm versions of this library?

@tkadlec
Copy link

@tkadlec tkadlec commented on 71a3331 Jun 5, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works for that too. When we test either the GH repo or npm package for vulns, we look for the .snyk policy file as well. So if you ignore the vuln and the latest published npm package contains a .snyk file saying so, you get the green badge.

Please sign in to comment.