Skip to content

Remove yarn-audit Dependency Scanning

Olivier Gonzalez requested to merge remove-yarn-audit into master

What does this MR do and why?

This MR follows-up the discussions in #412732 (closed).

This removes the yarn-audit (npm-audit) dependency scan configuration as this scanner is no longer maintained and redundant with the default Dependency Scanning scanner. This scanner is also not part of our public offering and this project is the only one at GitLab using it.

This was initialy introduced with !73158 (merged) with the rationale:

yarn audit is intended to complement our existing node.js dependency scanning job based on the gemnasium analyzer. The gemnasium analyzer alerts on dependencies that are affected by an advisory in the gemnasium db, which contains mostly advisories from NVD. To also alert on advisories from https://npmjs.com/advisories, yarn audit is added.

This is no longer relevant as NPM has been acquired by GitHub and advisories are publicly accessible at https://github.com/advisories, which is a source of data for our Dependency Scanning feature. A quick benchmark for currently active vulnerabilities also demonstrate it is not worth maintaining this tool in addition of our default offering.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Olivier Gonzalez

Merge request reports