We need to scan dependencies of dashiki and wikistats and any other projects that use npm/yarn. We need to do this periodically or maybe even with Jenkins when we build/verify.
For example, we could simply run npm audit: https://docs.npmjs.com/getting-started/running-a-security-audit
Update: it turns out this is very easy, see Lego's comment below, we just have to file a bug in Continuous-Integration-Config to add npm audit to our repos.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Duplicate | None | T200717 Scan npm dependencies for vulnerabilities | |||
| Resolved | Legoktm | T201633 Provide npm 6.0+ in CI environments |
We have been using nsp for a while now for Node.JS services, but it will be discontinued at the end of September and replaced by the npm audit command, which is available for npm >= v6.0.0.
k, great, do you want to setup anything more standard in jenkins to run npm audit as part of Verify +2?
We currently have nsp [run as part of npm test](https://github.com/wikimedia/service-template-node/blob/1784fd19fcab699cda44b429ea31fa47e5e82793/package.json#L8) which automatically makes Jenkins run the test. When Jenkins gets npm v6+, we can then have npm audit run as part of the test.
CI already has support for running npm audit with npm v6, please file a bug in Continuous-Integration-Config if you want it added to your repositories.