Closed Bug 1017898 Opened 10 years ago Closed 10 years ago

figure out process for keeping our dependent libraries up-to-date

Categories

(Hello (Loop) :: Server, defect)

defect
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: dmosedale, Unassigned)

References

Details

There are both server and client pieces to this, which may want their own sub-bugs.

We need to get set up so that we're notified whenever dependent libraries change so that we can see if they have security fixes that we need to pick up.

We'll also probably just generally want to keep up-to-date much of the time, regardless of security changes, and we'll want to figure out how to make that as low-overhead as possible.
I also filed https://bugzilla.mozilla.org/show_bug.cgi?id=1020572 before seeing this bug...

One package I like for security updates is https://github.com/nodesecurity/grunt-nsp-package (although not sure if there is a non-Grunt version available, or if we would have to roll our own logic to upload the package.json or shrinkwrap.json file to whatever endpoint grunt-nsp-package uses (looks like https://nodesecurity.io/validate/hapi/2.0.0)

Another thing we can do is add badges to the README.md files using https://david-dm.org/ although with how frequently packages get updated in npm, i imagine the badge will always say something is slightly out of date.
david-dm is really useful. I guess that's something we want to use as part of the QA process, or from time to time from the dev POV. We probably don't want to automate that.

I've just done it and doing it manually was really easy, I guess we should stay this way. Closing for now, feel free to reopen if you think it's worth it.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
OK.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.