Recursive support on Node.js dependencies

Question

Recursive support on Node.js dependencies

RafaelGSS opened this issue 2 years ago · 3 comments

    Yes, we've discussed it in the last Security WG meeting. We agreed on testing the recursive approach, and in case it adds a lot of noise, we revert it.

Originally posted by @RafaelGSS in #88 (comment)

Answer 1 · 2023-02-02T15:58:08.000Z

As discussed in today's meeting nodejs/security-wg#872. We might want to create another dependency checker for Javascript code.

Basically, it goes to the deps/node_modules and performs an npm audit, and reports back.

Answer 2 · 2023-02-02T16:17:34.000Z

Basically, it goes to the deps/node_modules and performs an npm audit, and reports back.

I've tried that before. Some things to watch out for:

I believe you need a lock file for npm audit to even run.
For Node.js 14 with npm 6 you have to do all operations on deps/npm with npm 6 -- attempting to do so with a later version of npm caused issues (I don't recall the exact specifics).

Answer 3 · 2023-02-02T17:08:41.000Z

Maybe we could skip the v14 and start from v16 considering the v14 will be EOL pretty soon.