- Due Date
- Fri, Dec 29, 6:00 AM
|Reference||Source Branch||Dest Branch||Author||Title|
|repos/mediawiki/services/ipoid!8||use-security-templates||main||mstyles||Draft: Update .gitlab-ci.yml file - use nodejs osv security template|
@kostajh I created a merge request, however since there are vulnerabilities in the project, it won't be able to be merged at this point. The security team can change the security templates so that the security template doesn't cause the pipeline to stop or the project settings can be changed to allow merges without the pipeline passing. The preferred route would be to update the project so that the dependencies are no longer vulnerable. Let me know what you think, the security templates are still in the early phases of being used, so feedback is very welcome.
I agree with that. Unfortunately, it seems like we're blocked on T309772: npm audit reports several security issues with Service runner. So I am going to mark this task as stalled, and if/when we fix T309772, we can reopen the MR.
@kostajh alternatively we can continue to use the nodejs osv security template and allow it to fail until T309772 is fixed. I think if we don't use the security template now, it's unlikely to be added lately. It would just be a manual process to skip over the nodejs osv security template until the final fix.
In my experience, if a CI job doesn't block a build on failure, eventually people stop looking at it, and then it's just adding to build times without providing value for that additional time.
If you, @Tchanders or @STran think that it is useful to add it as a non-blocking job, knowing that it is going to fail until we fix T309772: npm audit reports several security issues with Service runner, I don't have an objection to that.