Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Modify to npm audit workflow to omit the dev dependencies. #8754

Closed
jansiegel opened this issue Sep 27, 2021 · 0 comments · Fixed by #8755
Closed

Modify to npm audit workflow to omit the dev dependencies. #8754

jansiegel opened this issue Sep 27, 2021 · 0 comments · Fixed by #8755
Assignees
@jansiegel
Labels
Status: Released

Comments

@jansiegel
Copy link
Member

Description

We should switch the npm audit command in the audit workflow to omit the dev dependencies, as they don't usually pose a threat in the production builds.

In later stages of this change, we should come up with a workflow (be it an actual github actions' workflow, or anything else) helping us recognize vulnerabilities in the dev dependencies that should concern us, and fix them manually.
@jansiegel jansiegel self-assigned this Sep 27, 2021
jansiegel added a commit that referenced this issue Sep 27, 2021
@jansiegel
- Switch the npm audit script to production in the GHA workflow
cf253d7 
- Regenerate the package-lock file.

 #8754
@jansiegel jansiegel mentioned this issue Sep 27, 2021
Merged
11 tasks
jansiegel added a commit that referenced this issue Sep 28, 2021
@jansiegel
Modify the audit GHA workflow to check only the production dependenci…
274af7f 
…es. (#8755)

* - Switch the npm audit script to production in the GHA workflow
- Regenerate the package-lock file.

 #8754

* Fix an error being thrown after updating the package-lock, which caused a breaking change in some of the polyfills.
jansiegel added a commit that referenced this issue Sep 28, 2021
@jansiegel
Modify the audit GHA workflow to check only the production dependenci…
43e0a6f 
…es. (#8755)

* - Switch the npm audit script to production in the GHA workflow
- Regenerate the package-lock file.

 #8754

* Fix an error being thrown after updating the package-lock, which caused a breaking change in some of the polyfills.
jansiegel added a commit that referenced this issue Sep 28, 2021
@jansiegel
Fix one file omitted in #8754.
b310bd8
@jansiegel jansiegel linked a pull request Sep 28, 2021 that will close this issue
Modify the audit GHA workflow to check only the production dependencies. #8755
Merged
11 tasks
jansiegel added a commit that referenced this issue Oct 6, 2021
@jansiegel
Fix one file omitted in #8754.
c8b4f26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jansiegel jansiegel

Labels
Status: Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Modify the audit GHA workflow to check only the production dependencies. handsontable/handsontable
2 participants
@jansiegel @AMBudnik