react-native-windows
react-native-windows copied to clipboard
Fix NPM compliance issues detected by Secure Supply Chain Analysis
Problem Description
The Secure Supply Chain Analysis task runs on our publish and compliance pipelines, and has detected multiple issues with how we consume NPM packages.
Detection logic: https://docs.opensource.microsoft.com/tools/nuget_security_analysis/azure_artifacts_checks/ Specific remedies for each error type: https://aka.ms/cfs
##[warning]packages/e2e-test-app/.npmrc - CFS0002: missing registry option.
##[warning]packages/sample-apps/.npmrc - CFS0002: missing registry option.
##[warning]vnext/.npmrc - CFS0002: missing registry option.
##[warning]package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@office-iss/react-native-win32-tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@office-iss/react-native-win32/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation-channel/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation-commands/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/automation/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/src/e2etest/projects/BarPackage/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/cli/src/e2etest/projects/FooPackage/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/codegen/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/find-repo-root/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/fs/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/package-utils/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/telemetry/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native-windows/virtualized-list/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native/repo-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@react-native/tester/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/babel-node-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/beachball-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/create-github-releases/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/doxysaurus/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/eslint-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/format-files/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/generated-beachball-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/integrate-rn/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-debug-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-e2e-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-out-of-snapshot-resolver/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-out-of-tree-resolver/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/jest-unittest-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/just-task/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/metro-dev-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/promote-release/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/stamp-version/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/take-screenshot/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/@rnw-scripts/ts-config/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/debug-test/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/integration-test-app/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/playground/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/react-native-platform-override/package.json - CFS0001: missing sibling .npmrc file.
##[warning]packages/react-native-windows-init/package.json - CFS0001: missing sibling .npmrc file.
##[warning]vnext/src/babel-plugin-codegen/package.json - CFS0001: missing sibling .npmrc file.
Steps To Reproduce
See results from the task running in a pipeline: Pipelines - Run RNW_0.0.0-canary.538 logs
Expected Results
No response
CLI version
npx react-native --version
Environment
npx react-native info
Target Platform Version
No response
Target Device(s)
No response
Visual Studio Version
No response
Build Configuration
No response
Snack, code example, screenshot, or link to a repository
No response
Note, these warnings all look like they assume a closed-source project which requires MSFT AAD credentials to authenticate and download packages to build the source.
So this may just need to go on the backlog until compliance has a solution for teams which produce OSS that customers build from source.
One workaround would be to create the approved, authenticated ADO NPM feed but only add it to the .npmrc files in CI. We could call a script as a part of the a git post-checkout hook.
Also, I don't know how long this has been a problem, no-one's complaining about this, I just noticed it when fixing the NuGet feed issues. I hadn't seen that the compliance task now also checks NPM stuff.
What's the difference between an error vs. warning from this tool? How important are these issues?
What's the difference between an error vs. warning from this tool? How important are these issues?
Like I said, no one's reached out and complained about this, we've been ignoring the warnings for a long while now. However there may be some changes to that policy, currently on an internal thread with @dannyvv and CFS folks.