chore(deps): Get audit-filter working for all packages in monorepo

* Add a lint:deps job to the top-level package.json, so lerna can run lint:deps in all packages in parallel. * Also handle recent handlebars vulnerability, so that builds don't fail. * Note, the lint:deps job is a no-op in fxa-amplitude-send, as I can't get it to build yet in the monorepo. Some of the vulnerabilities are in transitive dependencies, yet the suggested `npm update foo --depth N` command sometimes seems to do nothing. There was a related bug in npm 6.6.0 - 6.11.2, fixed by npm/cli#239, but perhaps that didn't fix all the cases? (I was using npm 6.12.0.) As a workaround, I've added audit-filter exceptions where `npm update` wasn't able to fix vulnerabilities. Fixes #2229.
mozilla · Nov 18, 2019 · 0607093 · 0607093
1 parent 28b3857
commit 0607093
Show file tree

Hide file tree

Showing 17 changed files with 2,015 additions and 1,244 deletions.
diff --git a/package.json b/package.json
@@ -6,6 +6,7 @@
     "authors": "git shortlog -s | cut -c8- | sort -f > AUTHORS",
     "postinstall": "_scripts/install_all.sh",
     "npm-ci-all": "lerna exec --parallel -- npm ci",
+    "lint:deps": "lerna exec --parallel -- npm run lint:deps",
     "start": "pm2 start mysql_servers.json && echo \"Use 'npm stop' to stop all the servers\"",
     "stop": "pm2 kill",
     "start-firefox": "./packages/fxa-dev-launcher/bin/fxa-dev-launcher",

diff --git a/packages/fxa-amplitude-send/package.json b/packages/fxa-amplitude-send/package.json
@@ -21,7 +21,8 @@
   },
   "scripts": {
     "build-node-docker-image": "docker build -f Dockerfile-nodejs -t mozilla/fxa-amplitude-send:`git describe`-node .",
-    "lint": "eslint *.js bin/*.js"
+    "lint": "eslint *.js bin/*.js",
+    "lint:deps": "echo 'dependency checking not yet enabled for fxa-amplitude-send'"
   },
   "repository": {
     "type": "git",

diff --git a/packages/fxa-auth-db-mysql/.nsprc b/packages/fxa-auth-db-mysql/.nsprc
@@ -1,3 +1,16 @@
 {
-  "exceptions": []
+  "comment_755": "755 is prototype pollution in handlebars, used by nyc.",
+  "comment_1065": "1065 is prototype pollution in lodash, used by nyc.",
+  "comment_1164": "1164 is prototype pollution in handlebars, used by nyc.",
+  "comment_1171": "1171 is RegExp denial of service in csv-parse, used by restify.",
+  "comment_1300": "1300 is denial of service vulnerability in handlebars, used by nyc.",
+  "comment_1316": "1316 is arbitrary code execution in handlebars, used by nyc.",
+  "exceptions": [
+    "https://npmjs.com/advisories/755",
+    "https://npmjs.com/advisories/1065",
+    "https://npmjs.com/advisories/1164",
+    "https://npmjs.com/advisories/1171",
+    "https://npmjs.com/advisories/1300",
+    "https://npmjs.com/advisories/1316"
+  ]
 }