Provide vulnerability remediations for npm projects

Problem to solve

Remediation data allows to create merge requests to fix vulnerabilities.

Currently, npm based projects aren't supported (only Yarn based ones).

Intended users

User experience goal

As a developer of JS project using npm as the package manager, I want to be able to easily create merge requests to fix vulnerabilities, based on information provided by GitLab's Dependency Scanning feature.

Proposal

Make the Gemnasium analyzer generating remediations data, that will be automatically leveraged in the rails application to provide MR creation capabilities.

See what can be leveraged to support this
Feature  Supported Comments
Update top-level dependency via CLI npm update 
Update transient dependency via CLI 🚫
Upgrade top-level dependency via CLI   npm update
Easy to edit dependency file JSON file
API endpoint to list dependencies JSON output, one query to list the dependencies of all package versions
List dependencies via CLI npm view, JSON output, one execution to list the dependency of one package version
Add top-level dependency via CLI npm update
Local packages support  
Conflicts reported by CLI to be checked

See CLI documentation

(A dependency upgrade changes the requirements declared in the dep. file whereas an update only changes the lock files, without modifying the dep. file.)

Implementation plan

TODO

Permissions and Security

Documentation

Availability & Testing

  • provide a test project (or a dedicated branch in an existing project) to validate remediations work for npm projects.

What does success look like, and how can we measure that?

Findings found on npm projects can be resolved by creating a Merge request automatically.

This could be measured with #229644 (closed) once implemented, but this is outside of the scope of this issue.

What is the type of buyer?

GitLab Ultimate

Is this a cross-stage feature?

No.

Links / references

Edited by Fabien Catteau