You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cordova.apache.org by Shazron <sh...@apache.org> on 2016/06/25 08:15:01 UTC
[DISCUSS] Use of nsp (node security cli) finds first vulnerable
library that we use
I think it's the first [1].
This is in cordova-coho [2], from a test [3] that our former intern Vishal
(now employee) added. I'm not sure if any other repos are using a nsp test
besides coho.
We should add this check to our other repos that use node libraries.
Thoughts?
[1] https://issues.apache.org/jira/browse/CB-11484
[2] https://github.com/apache/cordova-coho
[3]
https://github.com/apache/cordova-coho/blob/c802314090dc262ef41444397a646f5bd178b3db/package.json#L32
Re: [DISCUSS] Use of nsp (node security cli) finds first vulnerable
library that we use
Posted by Shazron <sh...@gmail.com>.
Bithound is a great tool. Looks like bithound has a cli, but it can only
check a repo at a url, and we can't run it locally before a commit happens
(as part of npm test). So it's more of a post-commit tool, which is fine.
For a nested project like cordova-lib however, it can't analyze the
dependencies -- I'm not sure if you can configure it to handle that repo.
Also it's free for open source projects (and has badges, etc).
Take a look at cordova-js, ouch:
https://www.bithound.io/github/apache/cordova-js/
On Sat, Jun 25, 2016 at 2:02 AM, Jesse <pu...@gmail.com> wrote:
> I would rather let bithound[1][2] handle that stuff, instead of adding a
> bunch of code to our tests for this.
> Here's a fix. [3]
>
> [1] https://www.bithound.io/github/purplecabbage/cordova-coho
> [2] https://www.bithound.io/github/apache/cordova-coho/
> [3] https://github.com/apache/cordova-coho/pull/128
>
>
>
>
>
>
>
>
>
>
> @purplecabbage
> risingj.com
>
> On Sat, Jun 25, 2016 at 1:15 AM, Shazron <sh...@apache.org> wrote:
>
> > I think it's the first [1].
> >
> > This is in cordova-coho [2], from a test [3] that our former intern
> Vishal
> > (now employee) added. I'm not sure if any other repos are using a nsp
> test
> > besides coho.
> >
> > We should add this check to our other repos that use node libraries.
> >
> > Thoughts?
> >
> > [1] https://issues.apache.org/jira/browse/CB-11484
> > [2] https://github.com/apache/cordova-coho
> > [3]
> >
> >
> https://github.com/apache/cordova-coho/blob/c802314090dc262ef41444397a646f5bd178b3db/package.json#L32
> >
>
Re: [DISCUSS] Use of nsp (node security cli) finds first vulnerable
library that we use
Posted by Jesse <pu...@gmail.com>.
I would rather let bithound[1][2] handle that stuff, instead of adding a
bunch of code to our tests for this.
Here's a fix. [3]
[1] https://www.bithound.io/github/purplecabbage/cordova-coho
[2] https://www.bithound.io/github/apache/cordova-coho/
[3] https://github.com/apache/cordova-coho/pull/128
@purplecabbage
risingj.com
On Sat, Jun 25, 2016 at 1:15 AM, Shazron <sh...@apache.org> wrote:
> I think it's the first [1].
>
> This is in cordova-coho [2], from a test [3] that our former intern Vishal
> (now employee) added. I'm not sure if any other repos are using a nsp test
> besides coho.
>
> We should add this check to our other repos that use node libraries.
>
> Thoughts?
>
> [1] https://issues.apache.org/jira/browse/CB-11484
> [2] https://github.com/apache/cordova-coho
> [3]
>
> https://github.com/apache/cordova-coho/blob/c802314090dc262ef41444397a646f5bd178b3db/package.json#L32
>