Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: dependency pinning and auditing #3449

Open
wants to merge 18 commits into
base: master
Choose a base branch
from

Conversation

danielbate
Copy link
Member

@danielbate danielbate commented Dec 5, 2024

Summary

  • Pins dependency version
  • Audits releases

Checklist

  • All changes are covered by tests (or not applicable)
  • All changes are documented (or not applicable)
  • I reviewed the entire PR myself (preferably, on GH UI)
  • I described all Breaking Changes (or there's none)

@danielbate danielbate added the chore Issue is a chore label Dec 5, 2024
@danielbate danielbate self-assigned this Dec 5, 2024
Copy link

vercel bot commented Dec 5, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
fuels-template ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm
ts-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm
ts-docs-api ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm

Copy link

codspeed-hq bot commented Dec 5, 2024

CodSpeed Performance Report

Merging #3449 will degrade performances by 19.93%

Comparing db/chore/dep-pinning-audit (bc3d6f5) with master (41c72fb)

Summary

❌ 1 regressions
✅ 17 untouched benchmarks

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Benchmarks breakdown

Benchmark master db/chore/dep-pinning-audit Change
should successfully conduct a custom transfer between wallets (x20 times) 50.3 ms 62.8 ms -19.93%

Copy link
Member

@maschad maschad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot already alerts us of existing vulnerabilities in our dependencies, so I don't believe this CI check is necessary.

Also I'm not sure if dependency pinning serves as a defence against upgrading to malicious software:

  1. We already commit our lockfile, and so pnpm will install the same versions of the dependency. So if a vulnerability is discovered in an audit, we should actually upgrade to the patched version as opposed to keeping the dependency pinned at a particular version.

  2. Even pinned versions can become compromised retroactively - an attacker could gain access to the package registry account and replace the package content while keeping the same version number - we could explore using provenance logs for npm packages in such a case, but not many deps provide them unfortunately. That being said It still may be worthwhile to run pnpm audit signatures in the future.

@danielbate
Copy link
Member Author

danielbate commented Dec 6, 2024

@maschad neither of these changes were intended as full-proof solutions, but merely mitigation. Agreed deps can be retroactively compromised and we commit our lock file.

Pinning dependencies does mitigate risk of us upgrading to a compromised version, which I believe is a more common risk.

Good point on the audit, with pinning in place we would only be upgrading from dependabot, so it would be redundant.

@danielbate danielbate marked this pull request as ready for review December 6, 2024 10:12
Torres-ssf
Torres-ssf previously approved these changes Dec 12, 2024
Dhaiwat10
Dhaiwat10 previously approved these changes Dec 12, 2024
arboleya
arboleya previously approved these changes Dec 12, 2024
@danielbate
Copy link
Member Author

Okay I'm taking the approvals as agreement. Will hold off till after this weeks release window and then will merge, as I'll resolve the audit issues over the holiday period.

Copy link
Contributor

Coverage Report:

Lines Branches Functions Statements
76.33%(+0%) 69.84%(+0%) 74.2%(+0%) 76.34%(+0%)
Changed Files:

Coverage values did not change👌.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
chore Issue is a chore
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Dependency Pinning & Auditing
6 participants