cordova-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shazron <shaz...@gmail.com>
Subject Re: [DISCUSS] Use of nsp (node security cli) finds first vulnerable library that we use
Date Sat, 25 Jun 2016 09:35:32 GMT
Bithound is a great tool. Looks like bithound has a cli, but it can only
check a repo at a url, and we can't run it locally before a commit happens
(as part of npm test). So it's more of a post-commit tool, which is fine.
For a nested project like cordova-lib however, it can't analyze the
dependencies -- I'm not sure if you can configure it to handle that repo.

Also it's free for open source projects (and has badges, etc).

Take a look at cordova-js, ouch:
https://www.bithound.io/github/apache/cordova-js/


On Sat, Jun 25, 2016 at 2:02 AM, Jesse <purplecabbage@gmail.com> wrote:

> I would rather let bithound[1][2] handle that stuff, instead of adding a
> bunch of code to our tests for this.
> Here's a fix. [3]
>
> [1] https://www.bithound.io/github/purplecabbage/cordova-coho
> [2] https://www.bithound.io/github/apache/cordova-coho/
> [3] https://github.com/apache/cordova-coho/pull/128
>
>
>
>
>
>
>
>
>
>
> @purplecabbage
> risingj.com
>
> On Sat, Jun 25, 2016 at 1:15 AM, Shazron <shazron@apache.org> wrote:
>
> > I think it's the first [1].
> >
> > This is in cordova-coho [2], from a test [3] that our former intern
> Vishal
> > (now employee) added. I'm not sure if any other repos are using a nsp
> test
> > besides coho.
> >
> > We should add this check to our other repos that use node libraries.
> >
> > Thoughts?
> >
> > [1] https://issues.apache.org/jira/browse/CB-11484
> > [2] https://github.com/apache/cordova-coho
> > [3]
> >
> >
> https://github.com/apache/cordova-coho/blob/c802314090dc262ef41444397a646f5bd178b3db/package.json#L32
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message