You may also find it helpful to have a basic understanding of the following: For more information, see " Learn GitHub Actions."įor more information about creating a CI workflow for your Node.js project, see " Using Node.js with GitHub Actions."
We recommend that you have a basic understanding of workflow configuration options and how to create a workflow file. I'll have to test that with a real-life scenario.This guide shows you how to create a workflow that publishes Node.js packages to the GitHub Packages and npm registries after continuous integration (CI) tests pass. The main challenge is obviously that dependencies of dependencies should still follow same rules.Įven if I npm i -no-save a pinned version of some nested dependency - I'm not sure what npm will do to already insatalled versions. How does that bring us closer to public packages in delay next to latest corporate packages? I'm trying to think how can I use what you just showed me: Say we detected some public packages were recently updated. To our business - I'm probably missing something. But I believe the usecase is sound.Īnyway. I'm completely aware that such npm feature will not be developed fast enough for us even if the request will be adopted by npm.
If I cannot find a way to do that - the alternative is tools like renovate, dependabot or snyk, with all the noise they create, manual decisions they require and setup hussle for a monorepo of ~30 services and ~60 packages, each with it's own package.json. Now, on this comes the requirement to include latest of the corporate-packages, and 7 days old for the rest, taking that 7 days is legit delay for exploits to be noted. With our coverage we're confident with using greatest and latest in everything except what vitally had to be pinned for a breaking change or a known vulnerability - which is followed up by the team with issues of technical debt until they are unpinned. So far, until this requirement fell down, we worked without a lockfile: when a version was packed into a docker - it was during CI and treated like a testable proofable binary: scanned, functional-tested, integration-tested and black-box e2e. You're right - it's not my decision, it's a security policy I'm trying to comply with, no say there.
When the policy of version-range that offers only too-new versions - I suppose I'd like a message about it, and it should be possible to control the npm exit code for this case. starts with a prefix, belongs to a scope, or a concrete name) - but that's already high-end customization, way past the MVP of this feature. Ideally, there should be a form to configure such an X to a pattern in package name (e.g. npmrc, from CLI args, from env-var - whatever you decide to support. This 7 or X can come from a global setting, from a project's. My security team currently names 7, but teams should be able to can bring their own policy over some built-in default.
Ideally, I would like to run npm i in a new project, or npm update in an existing project, and get all the dependencies that have had at least X days or more since their publication date. a package was just published with an exploit.a package ownership was compromised and loaded with malicious code.Published just now - could also be - published with a new vulnerability that is yet to be reported. Here's how it relates to you:Ĭurrently, npm i and npm update will install the latest version of a depenency (or the latest according to the policy in package.json) - even if it was published just now. We're in work on FedRAMP certification, and there's a stormy debate about dependency scans and dependency vulnerabilities. This issue exists in the latest npm version