Enable audit-filter for npm dependencies for all packages in monorepo #2229
Description
Related to #2228 and inspired by the checklist item in #1128, let's make sure transitive dependencies are up-to-date across the whole monorepo. Copying in the checklist item from #1128 for guidance, and adding checkboxes for each package within the monorepo:
Packages with npm audit --json integrated into testing via a lint:deps npm task:
- 123done
- browserid-verifier
- fxa-auth-db-mysql
- fxa-auth-server
- fxa-basket-proxy
- fxa-content-server
- fxa-customs-server
- fxa-email-event-proxy
- fxa-email-service
- fxa-event-broker
- fxa-geodb
- fxa-js-client
- fxa-payments-server (chore(payments): add npm auditing to payments-server dependencies #1896)
- fxa-profile-server
- fxa-shared
- fxa-support-panel ([Support Integration] Security Checklist #741)
Security guidance for reference:
- enable security scanning of 3rd-party libraries and dependencies
- For node.js, use
npm auditwith audit-filter to review and handle exceptions (see example in speech-proxy) - For Python, enable pyup security updates:
- Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
- Enable branch protection for master and other development branches. Make sure the approved-mozilla-pyup-configuration team CANNOT push to those branches.
- From the "add a team" dropdown for your repo /settings page
- Add the "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services)
- Grant it write permission so it can make pull requests
- notify secops@mozilla.com to enable the integration in pyup
- For node.js, use
Metadata
Metadata
Assignees
Labels
No labels