Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: dependency pinning and auditing #3449

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

chore: dependency pinning and auditing #3449

wants to merge 18 commits into from

Conversation

danielbate
Copy link
Contributor

@danielbate danielbate commented Dec 5, 2024
edited
Loading

Summary

  • Pins dependency version
  • Audits releases

Checklist

  • All changes are covered by tests (or not applicable)
  • All changes are documented (or not applicable)
  • I reviewed the entire PR myself (preferably, on GH UI)
  • I described all Breaking Changes (or there's none)

@danielbate danielbate added the chore Issue is a chore label Dec 5, 2024
@danielbate danielbate self-assigned this Dec 5, 2024
@vercel Vercel
Copy link

vercel bot commented Dec 5, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
fuels-template ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm
ts-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm
ts-docs-api ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 16, 2024 4:47pm

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Dec 5, 2024
edited
Loading

CodSpeed Performance Report

Merging #3449 will degrade performances by 19.93%

Comparing db/chore/dep-pinning-audit (bc3d6f5) with master (41c72fb)

Summary

❌ 1 regressions
✅ 17 untouched benchmarks

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Benchmarks breakdown

Benchmark master db/chore/dep-pinning-audit Change
should successfully conduct a custom transfer between wallets (x20 times) 50.3 ms 62.8 ms -19.93%

maschad
maschad requested changes Dec 5, 2024
View reviewed changes
Copy link
Member

@maschad maschad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot already alerts us of existing vulnerabilities in our dependencies, so I don't believe this CI check is necessary.

Also I'm not sure if dependency pinning serves as a defence against upgrading to malicious software:

  1. We already commit our lockfile, and so pnpm will install the same versions of the dependency. So if a vulnerability is discovered in an audit, we should actually upgrade to the patched version as opposed to keeping the dependency pinned at a particular version.

  2. Even pinned versions can become compromised retroactively - an attacker could gain access to the package registry account and replace the package content while keeping the same version number - we could explore using provenance logs for npm packages in such a case, but not many deps provide them unfortunately. That being said It still may be worthwhile to run pnpm audit signatures in the future.

@danielbate
Copy link
Contributor Author

danielbate commented Dec 6, 2024
edited
Loading

@maschad neither of these changes were intended as full-proof solutions, but merely mitigation. Agreed deps can be retroactively compromised and we commit our lock file.

Pinning dependencies does mitigate risk of us upgrading to a compromised version, which I believe is a more common risk.

Good point on the audit, with pinning in place we would only be upgrading from dependabot, so it would be redundant.

@danielbate danielbate marked this pull request as ready for review December 6, 2024 10:12
Torres-ssf
Torres-ssf previously approved these changes Dec 12, 2024
View reviewed changes
Dhaiwat10
Dhaiwat10 previously approved these changes Dec 12, 2024
View reviewed changes
arboleya
arboleya previously approved these changes Dec 12, 2024
View reviewed changes
@danielbate
Copy link
Contributor Author

Okay I'm taking the approvals as agreement. Will hold off till after this weeks release window and then will merge, as I'll resolve the audit issues over the holiday period.

@github-actions GitHub Actions
Copy link
Contributor

Coverage Report:

Lines Branches Functions Statements
76.33%(+0%) 69.84%(+0%) 74.2%(+0%) 76.34%(+0%)
Changed Files:

Coverage values did not change👌.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petertonysmith94 petertonysmith94 petertonysmith94 approved these changes

@arboleya arboleya arboleya approved these changes

@digorithm digorithm Awaiting requested review from digorithm digorithm is a code owner

@nedsalk nedsalk Awaiting requested review from nedsalk nedsalk is a code owner

@maschad maschad Awaiting requested review from maschad maschad is a code owner

@Dhaiwat10 Dhaiwat10 Awaiting requested review from Dhaiwat10 Dhaiwat10 is a code owner

@Torres-ssf Torres-ssf Awaiting requested review from Torres-ssf Torres-ssf is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@danielbate danielbate

Labels
chore Issue is a chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependency Pinning & Auditing
6 participants
@danielbate @maschad @Dhaiwat10 @arboleya @petertonysmith94 @Torres-ssf