Support custom CA certs when the Retire.js analyzer installs npm packages
Problem to solve
Users of npm/yarn projects with a custom repository using a custom CA chain currently need extra configuration to make Dependency Scanning work. They must either:
- set
ca
orcafile
in their.npmrc
, or setstrict-ssl
tofalse
- set
NODE_EXTRA_CA_CERTS
in their CI variables
Instead users should be able to add their certificate using ADDITIONAL_CA_CERT_BUNDLE
, as documented.
Intended users
Personas are described at https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/
Proposal
Make the analyzer set NODE_EXTRA_CA_CERTS
to the value of ADDITIONAL_CA_CERT_BUNDLE
so that all node tools, such as npm
, yarn
and the retire.js
module, will use the given CA certificate bundle.
Currently, the analyzer might execute npm
or yarn
, and then executes retire
.
With this change users will be able to utilize a private npm repo with a custom CA certificate chain, without modifying the template or turning npm's strict ssl verification to false.
Documentation
update offline documentation fornpm
andyarn
Availability & Testing
-
test in js-npm
andjs-yarn
test projects with a custom npm repository
What does success look like, and how can we measure that?
Users will be able to pass in a custom npm repo with a self-signed certificate and have the analyzer scan without certificate errors.
Is this a cross-stage feature?
No.