Recursive support on Node.js dependencies
RafaelGSS opened this issue · 3 comments
RafaelGSS commented
Yes, we've discussed it in the last Security WG meeting. We agreed on testing the recursive approach, and in case it adds a lot of noise, we revert it.
Originally posted by @RafaelGSS in #88 (comment)
RafaelGSS commented
As discussed in today's meeting nodejs/security-wg#872. We might want to create another dependency checker for Javascript code.
Basically, it goes to the deps/node_modules and performs an npm audit
, and reports back.
richardlau commented
Basically, it goes to the deps/node_modules and performs an
npm audit
, and reports back.
I've tried that before. Some things to watch out for:
- I believe you need a lock file for
npm audit
to even run. - For Node.js 14 with npm 6 you have to do all operations on
deps/npm
with npm 6 -- attempting to do so with a later version of npm caused issues (I don't recall the exact specifics).
RafaelGSS commented
Maybe we could skip the v14 and start from v16 considering the v14 will be EOL pretty soon.