Draft: Migrate lock file using node:latest (!13565) · Merge requests · GitLab.org / security-products / Tests / js-npm

Fabien Catteau requested to merge node-latest into master Jan 11, 2021

This demonstrates how supported lock files can be migrated automatically to ensure that Dependency Scanning is compatible with the latest versions of the package managers it supports.

This MR adds a new migrate-lockfile job that installs the dependencies using the latest version of npm. As a side-effect, the lock file might be migrated. The resulting lock file is passed on to the scanning job as an artifact.

Right now this demonstrates that the latest version of npm (the one that ships w/ node:latest) isn't supported by gemnasium. See pipeline and failing scanning job.

TODO: find a way to skip the pipeline if the lock file hasn't changed.

DO NOT MERGE! This might become a FREEZE part and be used for QA, but it shouldn't be merged into master.

See Monitor external tools used by Security Product... (gitlab-org/gitlab#8348 - closed)

cc @gonzoyumo @willmeek @ifrenkel

Edited May 03, 2022 by Fabien Catteau

Draft: Migrate lock file using node:latest

Merge request reports