The npm audit script was auditing all dependencies, then filtering the
results to just the advisories concerning production dependencies. This
was done by checking the boolean `dev` and `optional` properties of each
`findings` entry in each advisory.
The `dev` and `optional` properties are now missing, which is resulting
in dev advisories being mistakenly identified as affecting production.
This check has been removed, and instead the `--production` flag is used
when calling `npm audit`. This accomplishes the same goal without
relying as much upon the audit output format.
The `--production` flag was added in `npm` `v6.10.0`, so `npm` has been
updated to the current latest stable (`v6.10.2`) for the `test-deps`
job. It was also updated on the `prep-deps-npm` job to ensure
consistency in behaviour. The other jobs only use `npm run` which hasn't
changed substantially in some time, so compatibility isn't really a
concern for those.
`audit.json` has also been added to `.gitignore`. It was accidentally
checked in once while working on this branch.
* ci: Rename full_test to test_and_release
* ci: Add scripts to automate GH releases
* Add .bak files to .gitignore
* ci: Add reviewer to the auto version PR
The Drizzle tests have not been used for some time. They were used to
ensure compatibility with newer versions of `web3` v1. If we want to
re-add tests to ensure compatibility with newer `web3` versions, we
should find some way of doing that more reliably than was done here -
these tests were somewhat flaky and unreliable.
`addons-linter` will occasionally run out of heap space. This provides 3
GB of heap for that script rather than the default ~1.5 GB. The CircleCI
containers have 4GB of memory, so this should leave plenty of extra
space for non-heap memory.
The MetaMask bot is currently failing to publish docs updates, and it is
[blocking our ability to release new
versions](https://github.com/MetaMask/metamask-extension/pull/6765).
While we should pursue a proper fix, I think it's worth disabling in the
meanwhile so this glitch doesn't interfere with our regular release
cadence further.
Auditing packages when installing here doesn't help anyone as the summary
isn't visible and vulnerabilities don't produce a non-zero exit code. We
will have `npm audit` as an extra CI job.
* added drizzle app for testing
* working
* clean up
* clean up script
* make build step required
* add drizzle-tests to .eslintignore
* clean up drizzle run script
* lint
* use truffle unbox
* undo eslintignore changes
* revert change
* dont use global
* dont need this steps
* use the new account flow
* restore package-lock.json
Two important notes:
1. The time it takes to download is negligble compared to e2e test runs
2. Since we cannot use environment variables in CircleCI cache keys we
can't cache the download correctly and have it update when we switch
firefox versions—this isn't the end of the world because of point 1