Describe the improvement you're thinking about
Modify https://github.com/semaphore-protocol/semaphore/blob/main/scripts/publish.ts or add prepublish script(s) to fail if npm audit (yarn npm audit) returns security vulnerabilities that are >= High..
Many of these issues are likely not relevant (only apply to servers, only specific components, etc.), but it would:
- Increase confidence of package consumers during installs/updates
- Prevent adding/updating of deps with known vulnerabilities
It would NOT:
- Prevent Semaphore packages with discovered dep vulnerabilities post-publish. npm-deprecate could be useful here, as well as Dependabot (below).
Describe alternatives you've considered
Questions
- If one package has alerts but others do not, should all the publishes fail (atomic) or only those with alerts?
- Should there be the ability to override the alert blocking publishing, say if a critical fix needs to go out? Is there a need to suppress specific alerts?
- Can always comment out this check in the publish script/package JSON.
Additional context
#920 (comment)
Describe the improvement you're thinking about
Modify https://github.com/semaphore-protocol/semaphore/blob/main/scripts/publish.ts or add
prepublishscript(s) to fail ifnpm audit(yarn npm audit) returns security vulnerabilities that are >= High..Many of these issues are likely not relevant (only apply to servers, only specific components, etc.), but it would:
It would NOT:
Describe alternatives you've considered
Questions
Additional context
#920 (comment)