Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Socket.dev reports on all our repos #17

Open
wesleytodd opened this issue Apr 16, 2024 · 11 comments
Open

Socket.dev reports on all our repos #17

wesleytodd opened this issue Apr 16, 2024 · 11 comments

Comments

@wesleytodd
Copy link
Member

I think we should add the Socket.dev tooling to all three orgs repos. It is easy to do, I have already done it for some personal repos and some work ones. I find it is the best in class for warning me about changes I might care about in updated dependencies. Anyone opposed to this? I could add it just to one for the time being if we wanted to try it out first.

cc @expressjs/express-tc @expressjs/security-wg

@ctcpip
Copy link
Member

ctcpip commented Apr 16, 2024

I don't really see any downside aside from the noise from comments. (Which shouldn't be just noise if it's doing anything useful.) And we can always remove it.

@wesleytodd
Copy link
Member Author

The one thing I am not sure is how well it reports when we dont have lockfiles. There are good reasons not to have lock files for libraries, but it might be another thing to consider at some point. If we can get reliable automation around testing before publish with fully updated locks then ideally we can add them, but for now even just something to help tell us that a PR like this did not pull in anything surprising would be nice.

@UlisesGascon
Copy link
Member

I think we should add the Socket.dev tooling to all three orgs repos.

Yes! 100%

The one thing I am not sure is how well it reports when we dont have lockfiles.

We can do a test and if this is an issue we can revert the integration or explore alternatives.

@ctcpip
Copy link
Member

ctcpip commented Apr 18, 2024

The one thing I am not sure is how well it reports when we dont have lockfiles.

IME with these tools, the only way to know for sure is to fork a repo and compare the results with and without a lock file.

@wesleytodd
Copy link
Member Author

wesleytodd commented Apr 18, 2024

Now that I am thinking about it I think I have this running on some without lockfiles and it is working well. Examples:

wesleytodd/create-git#54 (comment)
wesleytodd/cptmpl#13 (comment)

@UlisesGascon
Copy link
Member

Seems like we are good to add it. We can do a fast check with the team in the next TC meeting and enable it

@wesleytodd
Copy link
Member Author

Yep I will add the agenda label. But yeah then I can enable it on a few to start.

@bjohansebas
Copy link
Member

I think this is already complete, right? I see it has already been integrated into several repositories that weren't included before

@wesleytodd
Copy link
Member Author

It is partially complete, but I think I need to add it in a few more things to complete it. Once I have time to verify it all I will circle back and close this.

@bjohansebas
Copy link
Member

Also, I can't see the reports generated by socket. Is there a way to make them public?

@wesleytodd
Copy link
Member Author

I have that on my list to ask about. Just haven't gotten to that yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy