pleroma/pleroma-meta
1
0
Fork 0
Code Issues 55 Pull requests 2 Projects Releases Packages Wiki Activity

Dependency auditing #62

New issue
Open
opened 2022-02-27 20:00:34 +00:00 by tusooa · 5 comments
tusooa commented 2022-02-27 20:00:34 +00:00
Owner
Copy link

There is currently no routine for updating dependencies regularly, which could lead to security vulnerabilities.

For frontend, hj recommended https://docs.renovatebot.com/ which could be integrated with gitlab.

For backend, https://github.com/mirego/mix_audit or mix hex.outdated is suggested.

Both should be run on a regular basis.

There is currently no routine for updating dependencies regularly, which could lead to security vulnerabilities. For frontend, hj recommended https://docs.renovatebot.com/ which could be integrated with gitlab. For backend, https://github.com/mirego/mix_audit or `mix hex.outdated` is suggested. Both should be run on a regular basis.
ilja commented 2022-02-27 20:37:39 +00:00
Member
Copy link

Extra for BE that we could also run

mix hex.audit # Shows retired Hex deps for the current project

mix hex.outdated # Shows outdated Hex deps for the current project

See mix hex

Extra for BE that we could also run > mix hex.audit # Shows retired Hex deps for the current project > mix hex.outdated # Shows outdated Hex deps for the current project See `mix hex`
tusooa commented 2022-03-04 18:52:24 +00:00
Author
Owner
Copy link

Some trials:

https://lily.kazv.moe/infra/renovator

  1. Create a new account on gitlab, grant it access to push to the pleroma-fe repo (I think developer is ok)

  2. Create a token on gitlab for that account that has api, read_user, write_repository

  3. Create a user on GitHub.com, create a personal access token (the doc says "read-only" is ok, i gave it read:packages scope)

  4. Create a repo, using https://lily.kazv.moe/infra/renovator as a template

    Change as needed:

    • endpoint: 'https://lily.kazv.moe/api/v4/',
    • repositories: ['infra/pleroma-fe'],
    • export RENOVATE_GIT_AUTHOR='Renovate Bot <renovate@lily.kazv.moe>' (change it to the email associated with that account)

  5. In CI/CD configuration for that repo, add variables GITHUB_COM_TOKEN (the github.com token just created) and RENOVATE_TOKEN (the gitlab token just created).

  6. Add a scheduled pipeline that runs at a desired frequency. To check everything works, play that pipeline and see it creates a merge request that adds a config file to the repo (like https://lily.kazv.moe/infra/pleroma-fe/-/merge_requests/1 ). Merge that and run the pipeline again, it should start creating other mrs.

Some trials: https://lily.kazv.moe/infra/renovator 0. Create a new account on gitlab, grant it access to push to the pleroma-fe repo (I think developer is ok) 1. Create a token on gitlab for that account that has `api, read_user, write_repository` 2. Create a user on GitHub.com, create a personal access token (the doc says "read-only" is ok, i gave it `read:packages` scope) 3. Create a repo, using https://lily.kazv.moe/infra/renovator as a template Change as needed: - `endpoint: 'https://lily.kazv.moe/api/v4/',` - `repositories: ['infra/pleroma-fe'],` - `export RENOVATE_GIT_AUTHOR='Renovate Bot <renovate@lily.kazv.moe>'` (change it to the email associated with that account) 4. In CI/CD configuration for that repo, add variables `GITHUB_COM_TOKEN` (the github.com token just created) and `RENOVATE_TOKEN` (the gitlab token just created). 5. Add a scheduled pipeline that runs at a desired frequency. To check everything works, play that pipeline and see it creates a merge request that adds a config file to the repo (like https://lily.kazv.moe/infra/pleroma-fe/-/merge_requests/1 ). **Merge that** and run the pipeline again, it should start creating other mrs.
tusooa commented 2022-03-04 19:02:03 +00:00
Author
Owner
Copy link

The only thing I frown upon is the requirement of a GitHub account.

The only thing I frown upon is the requirement of a GitHub account.
seanking commented 2022-03-05 04:43:44 +00:00
Member
Copy link

Me: It surely can't be that bad if you're self-hosted.

Renovate Bot docs: The GitHub.com token in env is necessary in order to retrieve Release Notes that are usually hosted on github.com. You don't need to add it if you are already running the bot against github.com, but you do need to add it if you're using GitHub Enterprise, GitLab, Azure DevOps, or Bitbucket.

Me: Oh....

An additional edit: Apparently, the reason they require this is because of GitHub's rate limits for unauthenticated requests to their API. https://github.com/renovatebot/renovate/blob/main/docs/usage/getting-started/running.md#githubcom-token-for-release-notes

Me: It surely can't be that bad if you're self-hosted. Renovate Bot docs: The GitHub.com token in env is necessary in order to retrieve Release Notes that are usually hosted on github.com. You don't need to add it if you are already running the bot against github.com, but you do need to add it if you're using GitHub Enterprise, GitLab, Azure DevOps, or Bitbucket. Me: Oh.... **An additional edit:** Apparently, the reason they require this is because of GitHub's rate limits for unauthenticated requests to their API. https://github.com/renovatebot/renovate/blob/main/docs/usage/getting-started/running.md#githubcom-token-for-release-notes
tusooa commented 2022-03-05 19:46:51 +00:00
Author
Owner
Copy link

yea, it's possible to just register an empty account for it... but again considering npm/yarn audit does not need a github.com account

yea, it's possible to just register an empty account for it... but again considering npm/yarn audit does not need a github.com account
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
comm-guidelines
gitlab-mr-iid-2
gitlab-mr-iid-1
gitlab-mr-iid-4
tusooa/libreplanet
gitlab-mr-iid-3
No results found.
Labels
Clear labels   
BE
No labels
BE
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pleroma/pleroma-meta#62
No description provided.