Websockets Implementation for the Connecting screen#310
Open
codingLogan wants to merge 7 commits intomasterfrom
Open
Websockets Implementation for the Connecting screen#310codingLogan wants to merge 7 commits intomasterfrom
codingLogan wants to merge 7 commits intomasterfrom
Conversation
codingLogan
requested review from
Jameson13B,
ash-wright123,
mwclemy and
wesrisenmay-mx
as code owners
| @@ -1,17 +0,0 @@ | |||
| name: NPM Audit | |||
Collaborator
There was a problem hiding this comment.
Does snyk do an npm audit? In my experience it hasn't
Collaborator
Author
There was a problem hiding this comment.
@wesrisenmay-mx yes it does, but I can't speak to the exact details of Snyk's checks (what counts as critical/high/medium etc. I believe there are more areas involved that check how easily exploitable a problem is when it determines to block or not).
If you follow the links in GitHub where the Snyk check is, you can find where it says no new high vulnerabilities were found.
Collaborator
There was a problem hiding this comment.
I really think we should be running npm audit on our code. I know a couple times ago when there were big npm vulnerabilities I was asked if we were running npm audit in our pipelines.
Collaborator
Author
There was a problem hiding this comment.
Previously, we didn't have Snyk set up in our project, so we ran manual npm audit scripts. Now we have Snyk, which infosec has more flexibility and control for the organization.
When I spoke with infosec about vulnerability audits a bit ago, the recommended approach is to rely on Snyk, and no longer use manual audits in pipelines. There are advantages with Snyk that we do not get with raw npm audits.
- If no fix is available yet, we can temporarily bypass a CVE with infosec's help/approval
- If a vulnerability is reported, but is hard/impossible to exploit, Snyk takes that into account for us and won't block a pipeline
I do agree that we need to be actively taking care of vulnerabilities that come up, and Snyk is the more wholistic approach to handling it. We can additionally handle CVEs on our dev machines when we notice things too. For intstance, when npm gives us the audit results after installing we are alerted to the current CVEs. Really we should be diligent at the dev level at that point as well.
Collaborator
Author
|
Recent Test Runs With the new feature enabled With the new feature disabled |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
How the feature works
The hosting app does a lot of the heavy lifting and passes in what is required by the UI
How to pass the values into the UI package
In the hosting app, pass in a new prop object to the ConnectWidget named
webSocketConnectionTo enable the widget to use those values, you must also enable the
useWebSocketsexperimental feature