Merge pull request #6690 from MetaMask/npm-audit

Re-enable npm audit CI job
6 years ago · 3dc7e29a51
parent b27fdef5e4 ea142a4dd6
commit 3dc7e29a51
5 changed files with 33668 additions and 19682 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -17,9 +17,9 @@ workflows:
      - test-lint:
          requires:
            - prep-deps-npm
-      # - test-deps:
-      #     requires:
-      #       - prep-deps-npm
+      - test-deps:
+          requires:
+            - prep-deps-npm
      - test-e2e-chrome:
          requires:
            - prep-deps-npm
@ -156,16 +156,16 @@ jobs:
          name: Test
          command: npm run lint

-  # test-deps:
-  #   docker:
-  #     - image: circleci/node:8.11.3-browsers
-  #   steps:
-  #     - checkout
-  #     - attach_workspace:
-  #         at: .
-  #     - run:
-  #         name: Test
-  #         command: sudo npm install -g npm@6 && npm audit
+  test-deps:
+    docker:
+      - image: circleci/node:8.15.1-browsers
+    steps:
+      - checkout
+      - attach_workspace:
+          at: .
+      - run:
+          name: npm audit
+          command: .circleci/scripts/npm-audit

  # test-e2e-beta-drizzle:
  #   docker:
--- a/.circleci/scripts/npm-audit
+++ b/.circleci/scripts/npm-audit
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+set -e
+set -u
+set -o pipefail
+
+if ! npm audit
+then
+    ! npm audit --json > audit.json
+    printf '%s\n' ''
+    node .circleci/scripts/npm-audit-check.js
+fi
--- a/.circleci/scripts/npm-audit-check.js
+++ b/.circleci/scripts/npm-audit-check.js
@ -0,0 +1,24 @@
+const path = require('path')
+const audit = require(path.join(__dirname, '..', '..', 'audit.json'))
+const error = audit.error
+const advisories = Object.keys(audit.advisories || []).map((k) => audit.advisories[k])
+
+if (error) {
+  process.exit(1)
+}
+
+let count = 0
+for (const advisory of advisories) {
+  if (advisory.severity === 'low') {
+    continue
+  }
+
+  count += advisory.findings.some((finding) => (!finding.dev && !finding.optional))
+}
+
+if (count > 0) {
+  console.log(`Audit shows ${count} moderate or high severity advisories _in the production dependencies_`)
+  process.exit(1)
+} else {
+  console.log(`Audit shows _zero_ moderate or high severity advisories _in the production dependencies_`)
+}
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -56,7 +56,7 @@
    "@material-ui/core": "1.0.0",
    "@sentry/browser": "^4.1.1",
    "@zxing/library": "^0.8.0",
-    "abi-decoder": "^1.0.9",
+    "abi-decoder": "^1.2.0",
    "asmcrypto.js": "0.22.0",
    "async": "^2.5.0",
    "await-semaphore": "^0.1.1",
@ -90,8 +90,8 @@
    "eth-contract-metadata": "github:MetaMask/eth-contract-metadata#dc68506221859bc90792bc5e0279a6835f2484d8",
    "eth-ens-namehash": "^2.0.8",
    "eth-hd-keyring": "^1.2.2",
-    "eth-json-rpc-filters": "^3.0.3",
-    "eth-json-rpc-infura": "^3.0.0",
+    "eth-json-rpc-filters": "^3.0.4",
+    "eth-json-rpc-infura": "^3.2.0",
    "eth-keyring-controller": "^3.3.1",
    "eth-ledger-bridge-keyring": "^0.2.0",
    "eth-method-registry": "^1.2.0",
@ -101,7 +101,7 @@
    "eth-token-tracker": "^1.1.5",
    "eth-trezor-keyring": "^0.4.0",
    "ethereumjs-abi": "^0.6.4",
-    "ethereumjs-tx": "^1.3.0",
+    "ethereumjs-tx": "^1.3.7",
    "ethereumjs-util": "github:ethereumjs/ethereumjs-util#ac5d0908536b447083ea422b435da27f26615de9",
    "ethereumjs-wallet": "^0.6.0",
    "etherscan-link": "^1.0.2",
@ -115,13 +115,14 @@
    "fast-json-patch": "^2.0.4",
    "fast-levenshtein": "^2.0.6",
    "fuse.js": "^3.2.0",
+    "gaba": "^1.3.0",
    "hat": "0.0.3",
    "human-standard-token-abi": "^2.0.0",
    "identicon.js": "^2.3.1",
    "inject-css": "^0.1.1",
    "jazzicon": "^1.2.0",
    "json-rpc-engine": "^4.0.0",
-    "json-rpc-middleware-stream": "^2.1.0",
+    "json-rpc-middleware-stream": "^2.1.1",
    "jsonschema": "^1.2.4",
    "lodash.debounce": "^4.0.8",
    "lodash.memoize": "^4.1.2",
@ -187,18 +188,18 @@
    "swappable-obj-proxy": "^1.1.0",
    "textarea-caret": "^3.0.1",
    "valid-url": "^1.0.9",
-    "web3": "^0.20.1",
+    "web3": "^0.20.7",
    "web3-stream-provider": "^3.0.1",
    "webrtc-adapter": "^6.3.0",
    "xtend": "^4.0.1"
  },
  "devDependencies": {
    "@sentry/cli": "^1.30.3",
-    "@storybook/addon-info": "^3.4.2",
+    "@storybook/addon-info": "^5.1.1",
    "@storybook/addon-knobs": "^3.4.2",
-    "@storybook/react": "^3.4.2",
-    "addons-linter": "^1.3.4",
-    "babel-core": "^6.24.1",
+    "@storybook/react": "^5.1.1",
+    "addons-linter": "^1.10.0",
+    "babel-core": "^6.26.3",
    "babel-eslint": "^8.0.0",
    "babel-plugin-transform-async-to-generator": "^6.24.1",
    "babel-plugin-transform-runtime": "^6.23.0",
@ -215,7 +216,7 @@
    "clipboardy": "^1.2.3",
    "coveralls": "^3.0.0",
    "cross-env": "^5.1.4",
-    "css-loader": "^0.28.11",
+    "css-loader": "^2.1.1",
    "deep-freeze-strict": "^1.1.1",
    "del": "^3.0.0",
    "envify": "^4.0.0",
@ -225,15 +226,14 @@
    "eslint-plugin-json": "^1.2.0",
    "eslint-plugin-mocha": "^5.0.0",
    "eslint-plugin-react": "^7.4.0",
-    "eth-json-rpc-middleware": "^3.1.6",
+    "eth-json-rpc-middleware": "^3.1.7",
    "fetch-mock": "^6.5.2",
    "file-loader": "^1.1.11",
    "fs-extra": "^6.0.1",
    "fs-promise": "^2.0.3",
-    "gaba": "^1.3.0",
    "ganache-cli": "^6.1.0",
-    "ganache-core": "^2.5.3",
-    "geckodriver": "^1.14.1",
+    "ganache-core": "^2.5.5",
+    "geckodriver": "^1.16.2",
    "gh-pages": "^1.2.0",
    "gifencoder": "^1.1.0",
    "gulp": "^4.0.0",
@ -252,16 +252,16 @@
    "gulp-uglify": "^3.0.0",
    "gulp-uglify-es": "^1.0.1",
    "gulp-util": "^3.0.7",
-    "gulp-watch": "^5.0.0",
+    "gulp-watch": "^5.0.1",
    "gulp-zip": "^4.0.0",
    "http-server": "^0.11.1",
    "image-size": "^0.6.2",
    "isomorphic-fetch": "^2.2.1",
-    "jsdoc": "^3.5.5",
+    "jsdoc": "^3.6.2",
    "jsdom": "^11.2.0",
    "jsdom-global": "^3.0.2",
    "jshint-stylish": "~2.2.1",
-    "karma": "^3.1.1",
+    "karma": "^4.1.0",
    "karma-chrome-launcher": "^2.2.0",
    "karma-cli": "^1.0.1",
    "karma-firefox-launcher": "^1.0.1",
@ -272,7 +272,7 @@
    "mocha-jsdom": "^1.1.0",
    "mocha-sinon": "^2.0.0",
    "nock": "^9.0.14",
-    "node-sass": "^4.9.2",
+    "node-sass": "^4.12.0",
    "nyc": "^13.0.0",
    "path": "^0.12.7",
    "png-file-stream": "^1.1.0",
@ -298,11 +298,11 @@
    "style-loader": "^0.21.0",
    "stylelint-config-standard": "^18.2.0",
    "tape": "^4.5.1",
-    "testem": "^2.8.0",
+    "testem": "^2.16.0",
    "through2": "^2.0.3",
    "vinyl-buffer": "^1.0.1",
    "vinyl-source-stream": "^2.0.0",
-    "watchify": "^3.11.0"
+    "watchify": "^3.11.1"
  },
  "engines": {
    "node": "8.11.3",