Add NPM dependency security audit CI job
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	• Niedzielski
	Oct 31 2017, 1:13 PM

Description

Install NSP as a devDependency.
Add an audit script to package.json that calls nsp check.
Create a Jenkins job that runs each commit (non-voting) or periodically (report failures to #wikimedia-reading-web-bots).

More context available in the internal email titled "Follow up from monthly Readers".

Related Objects

Mentioned In: T104164: Routinely audit projects that use package.json with nodesecurity.io
T216419: Security review - Wikibase Termbox Front End
T177210: Security review of Marvin
Mentioned Here: T203749: marvin: critical severity security vulnerability detected in macaddress < 0.2.9 defined in package-lock.json.

Event Timeline

• Niedzielski created this task.Oct 31 2017, 1:13 PM

Should this be added to npm test to run on CI? Why does it need to be a new job?

@Jhernandez, it's nondeterministic (new concerns may be uncovered at any time) and probably requires network access so I wanted to keep it distinct from normal test failures.

• Niedzielski renamed this task from Add security audit job to Add NPM dependency security audit CI job.Oct 31 2017, 3:07 PM

• Niedzielski moved this task from Needs Triage to Backlog (Priority Descending) on the Marvin board.

Makes sense

• Niedzielski mentioned this in T177210: Security review of Marvin.Nov 17 2017, 1:51 PM

WMDE-leszek subscribed.Feb 18 2019, 4:43 PM

sbassett mentioned this in T216419: Security review - Wikibase Termbox Front End.Apr 26 2019, 5:52 PM

sbassett mentioned this in T104164: Routinely audit projects that use package.json with nodesecurity.io.Apr 26 2019, 7:41 PM