Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: dependency pinning and auditing #3449

Merged
merged 24 commits into from
Jan 2, 2025
Merged

chore: dependency pinning and auditing #3449

merged 24 commits into from
Jan 2, 2025

Conversation

danielbate
Copy link
Member

@danielbate danielbate commented Dec 5, 2024
edited by petertonysmith94
Loading

Summary

  • Pins dependency version
  • A workflow to audit releases

Checklist

  • All changes are covered by tests (or not applicable)
  • All changes are documented (or not applicable)
  • I reviewed the entire PR myself (preferably, on GH UI)
  • I described all Breaking Changes (or there's none)

@danielbate danielbate added the chore Issue is a chore label Dec 5, 2024
@danielbate danielbate self-assigned this Dec 5, 2024
@vercel Vercel
Copy link

vercel bot commented Dec 5, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
fuels-template ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 2, 2025 1:48pm
ts-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 2, 2025 1:48pm
ts-docs-api ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jan 2, 2025 1:48pm

@codspeed-hq CodSpeed HQ
Copy link

codspeed-hq bot commented Dec 5, 2024
edited
Loading

CodSpeed Performance Report

Merging #3449 will degrade performances by 19.93%

Comparing db/chore/dep-pinning-audit (bc3d6f5) with master (41c72fb)

Summary

❌ 1 regressions
✅ 17 untouched benchmarks

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Benchmarks breakdown

Benchmark master db/chore/dep-pinning-audit Change
should successfully conduct a custom transfer between wallets (x20 times) 50.3 ms 62.8 ms -19.93%

maschad
maschad previously requested changes Dec 5, 2024
View reviewed changes
Copy link
Member

@maschad maschad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot already alerts us of existing vulnerabilities in our dependencies, so I don't believe this CI check is necessary.

Also I'm not sure if dependency pinning serves as a defence against upgrading to malicious software:

  1. We already commit our lockfile, and so pnpm will install the same versions of the dependency. So if a vulnerability is discovered in an audit, we should actually upgrade to the patched version as opposed to keeping the dependency pinned at a particular version.

  2. Even pinned versions can become compromised retroactively - an attacker could gain access to the package registry account and replace the package content while keeping the same version number - we could explore using provenance logs for npm packages in such a case, but not many deps provide them unfortunately. That being said It still may be worthwhile to run pnpm audit signatures in the future.

@danielbate
Copy link
Member Author

danielbate commented Dec 6, 2024
edited
Loading

@maschad neither of these changes were intended as full-proof solutions, but merely mitigation. Agreed deps can be retroactively compromised and we commit our lock file.

Pinning dependencies does mitigate risk of us upgrading to a compromised version, which I believe is a more common risk.

Good point on the audit, with pinning in place we would only be upgrading from dependabot, so it would be redundant.

@danielbate danielbate marked this pull request as ready for review December 6, 2024 10:12
@petertonysmith94 petertonysmith94 mentioned this pull request Jan 2, 2025
Open
Torres-ssf
Torres-ssf previously approved these changes Jan 2, 2025
View reviewed changes
nedsalk
nedsalk previously approved these changes Jan 2, 2025
View reviewed changes
@petertonysmith94 petertonysmith94 dismissed stale reviews from nedsalk, Torres-ssf, and themself via 34a1fef January 2, 2025 12:55
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 2, 2025

Coverage Report:

Lines Branches Functions Statements
77.78%(+0%) 70.44%(+0.04%) 75.37%(-0.01%) 77.74%(+0%)
Changed Files:
Ok File (✨=New File) Lines Branches Functions Statements
🔴 packages/create-fuels/src/lib/getPackageManager.ts 100%
(+0%)		 88.88%
(+8.88%)		 100%
(+0%)		 100%
(+0%)

@petertonysmith94 petertonysmith94 dismissed maschad’s stale review January 2, 2025 15:17

Comments appear to be resolved.

@petertonysmith94 petertonysmith94 merged commit 12e801e into master Jan 2, 2025
29 of 30 checks passed
@petertonysmith94 petertonysmith94 deleted the db/chore/dep-pinning-audit branch January 2, 2025 15:18
@fuel-service-user fuel-service-user mentioned this pull request Jan 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nedsalk nedsalk nedsalk approved these changes

@petertonysmith94 petertonysmith94 petertonysmith94 approved these changes

@arboleya arboleya arboleya approved these changes

@digorithm digorithm Awaiting requested review from digorithm digorithm is a code owner

@maschad maschad Awaiting requested review from maschad maschad is a code owner

@Dhaiwat10 Dhaiwat10 Awaiting requested review from Dhaiwat10 Dhaiwat10 is a code owner

@Torres-ssf Torres-ssf Awaiting requested review from Torres-ssf Torres-ssf is a code owner

Assignees

@danielbate danielbate

Labels
chore Issue is a chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Dependency Pinning & Auditing
7 participants
@danielbate @maschad @Dhaiwat10 @arboleya @petertonysmith94 @nedsalk @Torres-ssf