Using snyk for package vulnerability verification
obara.justin at gmail.com
Wed Apr 12 19:11:51 UTC 2017
I’ve added the fluid-project repos to Snyk with the exception of repos that
were forks ( unless they were named fluid-* ).
On April 12, 2017 at 11:47:42 AM, Tirloni, Giovanni (gtirloni at ocadu.ca)
By lazy consensus rules, there have been no objections to adopting this
Unfortunately I don't have admin privileges to the fluid-project
organization to add the repositories to Snyk myself. Anyone with those
privileges, please feel free to login to Snyk, select the 'Fluid Project'
organization in the top dropdown, click on 'Add my GitHub repositories to
Snyk' and then select the ones from the 'fluid-project' GitHub
On 04/06/2017 09:48 AM, Tirloni, Giovanni wrote:
> There was a discussion in the GPII Architecture mailing list that started
in Oct 2015 when snyk.io was released and I believe it would beneficial to
adopt it for Fluid repositories.
> Here are the relevant threads:
> And here's more information about Snyk:
> I took the liberty of creating a "Fluid Project" organization in Snyk and
invited the Fluid Project's GitHub administrators to it (as I don't have
permission to add repositories).
> Enabling Snyk for a repository means:
> * A WebHook will get added to notify snyk.io of new PR and commits
> * A notification will be added to new PRs to identify if they introduce
security vulnerabilities (within snyk's scope)
> * The repository will be constantly monitored for new vulnerability
> To clarify, Snyk is not a static code analyzer. It simply inspects
dependencies that have known vulnerabilities.
> If there is consensus on adopting this tool, I would like to request that
someone with admin privileges to the Fluid Project in GitHub to access
Snyk.io and add the repositories.
> -------- Forwarded Message --------
> Subject: Re: [Architecture] snyk node package vulnerability checker now
> Date: 04/06/2017 04:50 AM
> From: Tony Atkins <tony at raisingthefloor.org>
> To: Tirloni, Giovanni <gtirloni at ocadu.ca>
> CC: architecture at lists.gpii.net Architecture <architecture at lists.gpii.net>
> Hi, Giovanni.
> Personally I would be happy to have this for every repo and PR. Even
though many of us regularly run "npm outdated" (or "yarn outdated") and
test our work with newer libraries, having a report on known bad versions
gives us a consistent "trailing edge". By that I mean that if we haven't
managed to otherwise update our dependencies when snyk identifies a
problem, we have a good reason to take a moment and review.
> Anyway, +1 from me.
> On Wed, Apr 5, 2017 at 6:20 PM, Tirloni, Giovanni <gtirloni at ocadu.ca
<mailto:gtirloni at ocadu.ca>> wrote:
> Snyk can monitor repositories and test new PRs for vulnerable packages.
> Is there interest in having this tool automatically monitoring our
repositories? It's free for open source project.
> On 10/29/2015 02:29 PM, Steve Lee wrote:
> > https://snyk.io/
> > Steve Lee
> > OpenDirective http://opendirective.com
> > _______________________________________________
> > Architecture mailing list
> > Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
> > http://lists.gpii.net/mailman/listinfo/architecture <
> Architecture mailing list
> Architecture at lists.gpii.net <mailto:Architecture at lists.gpii.net>
> http://lists.gpii.net/mailman/listinfo/architecture <
> fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
> To unsubscribe, change settings or access archives,
> see http://lists.idrc.ocad.ca/mailman/listinfo/fluid-work
fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
To unsubscribe, change settings or access archives,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the fluid-work