chain-desktop-wallet icon indicating copy to clipboard operation
chain-desktop-wallet copied to clipboard

Published 20 hours ago verified publisher icon crypto-com

deps: Update audit-ci implementation

Open quinnturner opened this issue 2 years ago • 4 comments

I am the author of audit-ci. I noticed this project was using it, and I wanted to help out!

  • Install latest audit-ci devDependency
  • Use yarn dlx instead of installed version in CI
  • Use .audit-ci.jsonc for better advisory management
  • Remove unused yarn install during the pipeline
  • Updates settings.json in VSCode to hide .audit-ci.jsonc
  • Removes unused advisory 1005059

I do have a separate approach for you to consider: run audit-ci immediately after running actions/setup-nodeand before the yarn install with yarn dlx in the release workflow. That way, if there's a compromised dependency that runs a postinstall in the release, you will catch it before it installs.

👮🏻👮🏻👮🏻 !!!! REFERENCE THE PROBLEM YOUR ARE SOLVING IN THE PR TITLE AND DESCRIBE YOUR SOLUTION HERE !!!! DO NOT FORGET !!!! 👮🏻👮🏻👮🏻

PR Checklist:

  • [x] Have you read the CONTRIBUTING.md?
  • [x] Does your PR follow the C4 patch requirements?
  • [x] Have you rebased your work on top of the latest master?
  • [x] Have you checked your code compiles? (yarn build)
  • [x] Have you included tests for any non-trivial functionality?
  • [x] Have you checked your code passes the unit tests? (yarn test)
  • [x] Have you checked your code formatting is correct? (yarn lint:js)
  • [x] If you added any dependencies, have you checked they do not contain any known vulnerabilities? (yarn audit)
  • [ ] If your changes affect public APIs, does your PR follow the C4 evolution of public contracts?
  • [ ] If your code changes public APIs, have you incremented the crate version numbers and documented your changes in the CHANGELOG.md?
  • [x] If you are contributing for the first time, please read the agreement in CONTRIBUTING.md now and add a comment to this pull request stating that your PR is in accordance with the Developer's Certificate of Origin.

Thank you for your code, it's appreciated! :)

quinnturner avatar Apr 08 '22 16:04 quinnturner

This pull request introduces 27 alerts when merging 69604462e30cbb6907a25473de397bf4b868cd3d into cc73b5cb863de61e3c7d25189fc5104e915a8fd2 - view on LGTM.com

new alerts:

  • 16 for Unused variable, import, function or class
  • 8 for Useless assignment to local variable
  • 1 for Useless conditional
  • 1 for Comparison between inconvertible types
  • 1 for Incomplete string escaping or encoding

lgtm-com[bot] avatar May 19 '22 04:05 lgtm-com[bot]

This pull request introduces 27 alerts when merging 4f8fc44d8aff662159817c7804b973969d4a1e34 into cc73b5cb863de61e3c7d25189fc5104e915a8fd2 - view on LGTM.com

new alerts:

  • 16 for Unused variable, import, function or class
  • 8 for Useless assignment to local variable
  • 1 for Useless conditional
  • 1 for Comparison between inconvertible types
  • 1 for Incomplete string escaping or encoding

lgtm-com[bot] avatar May 19 '22 04:05 lgtm-com[bot]

This pull request introduces 27 alerts when merging f84e60d195241772785e67c08029559e54ea96a5 into cc73b5cb863de61e3c7d25189fc5104e915a8fd2 - view on LGTM.com

new alerts:

  • 16 for Unused variable, import, function or class
  • 8 for Useless assignment to local variable
  • 1 for Useless conditional
  • 1 for Comparison between inconvertible types
  • 1 for Incomplete string escaping or encoding

lgtm-com[bot] avatar May 19 '22 04:05 lgtm-com[bot]

This pull request introduces 27 alerts when merging 42df653dc14066a812b5d6834189914b77f36ba9 into cc73b5cb863de61e3c7d25189fc5104e915a8fd2 - view on LGTM.com

new alerts:

  • 16 for Unused variable, import, function or class
  • 8 for Useless assignment to local variable
  • 1 for Useless conditional
  • 1 for Comparison between inconvertible types
  • 1 for Incomplete string escaping or encoding

lgtm-com[bot] avatar May 19 '22 05:05 lgtm-com[bot]