Closed Bug 1786290 Opened 3 years ago Closed 2 years ago

Use microsoft/sdl/no-insecure-url instead of github:mozfreddyb/eslint-plugin-sdl...

Categories

(Core :: DOM: Security, task, P3)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
122 Branch
Tracking Flags:
Tracking Status
firefox122 --- fixed

People

(Reporter: t.yavor, Assigned: maltejur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1786290 - Update @microsoft/eslint-plugin-sdl to version 0.2.2 r=freddyb,standard8
48 bytes, text/x-phabricator-request
Details | Review

In package.json we should use microsoft/sdl/no-insecure-url.
For that reason we need to complete the PR to microsoft/sdl/rules:
https://github.com/microsoft/eslint-plugin-sdl/pull/39#issuecomment-1214966408

Summary: Use instead of github:mozfreddyb/eslint-plugin-sdl... microsoft/sdl/no-insecure-url → Use microsoft/sdl/no-insecure-url instead of github:mozfreddyb/eslint-plugin-sdl...
Assignee: nobody → lyavor
Severity: -- → N/A
Priority: -- → P3
Whiteboard: [domsecurity-active]

Believe it or not, upstream took our changes and we can switch from my fork and use the real deal.
Malte, is this something you would be willing to explore?

The idea is to look at the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=1709150 and switch from the mozfreddyb-fork of the repo to the official Microsoft version.

Flags: needinfo?(mjurgens)

(In reply to Frederik Braun [:freddy] from comment #1)

The idea is to look at the patch from https://bugzilla.mozilla.org/show_bug.cgi?id=1709150 and switch from the mozfreddyb-fork of the repo to the official Microsoft version.

It looks like that hasn't been released yet, should we ask them for a new minor release so we can switch back to a specific version?

(In reply to Frederik Braun [:freddy] from comment #1)

Malte, is this something you would be willing to explore?

Sure, I'll do as soon as they release a new version. We could also already switch to using their master branch directly, however I am not sure if that brings any benefit over what we are currently doing.

Flags: needinfo?(mjurgens)

Using their unversioned development branch seems a bit risky (even though they don't appear to be making a lot of changes right now :)).
I think we need to wait further, I somehow forgot that them merging the code still doesn't mean we can use it. Let's continue when they have published a release..

You could probably lock it at a certain commit like it is already done currently, but I would also just say we wait a bit until they create a new release.

Assignee: t.yavor → nobody

It seems v0.2.2 is out now, and includes the relevant changes. I'll create a patch updating to that version.

Assignee: nobody → mjurgens
Status: NEW → ASSIGNED
Pushed by fbraun@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/86da25fdbc81 Update @microsoft/eslint-plugin-sdl to version 0.2.2 r=freddyb,Standard8

https://hg.mozilla.org/mozilla-central/rev/86da25fdbc81

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox122: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 122 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: