Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rename the Web package.json to stop Snyk PRs #3374

Merged
merged 1 commit into from
Aug 15, 2024
Merged

Rename the Web package.json to stop Snyk PRs #3374

merged 1 commit into from
Aug 15, 2024

Conversation

dacharyc
Copy link
Collaborator

Pull Request Info

After investigation to the Snyk integration, it seems we are unable to disable it for a specific directory or repository.

While we are evaluating long-term plans for the Web SDK test suite, getting unnecessary Snyk update PRs is disruptive and creates maintenance burden.

This PR renames the package.json file, which is one of the files that Snyk scans for, which should hopefully stop the Snyk dependency update PRs. The updated README provides instructions about the changes required to run the test suite locally and reinstate it in the future.

@netlify Netlify
Copy link

netlify bot commented Aug 15, 2024
edited
Loading

Deploy Preview for device-sdk ready!

Name Link
🔨 Latest commit e1f3ecd
🔍 Latest deploy log https://app.netlify.com/sites/device-sdk/deploys/66be1bb88bc14700089482ee
😎 Deploy Preview https://deploy-preview-3374--device-sdk.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

krollins-mdb
krollins-mdb approved these changes Aug 15, 2024
View reviewed changes
Copy link
Collaborator

@krollins-mdb krollins-mdb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That should do it. Thanks for thinking of this, @dacharyc!

@dacharyc dacharyc merged commit 6a15b07 into mongodb:master Aug 15, 2024
6 checks passed
@dacharyc dacharyc deleted the stop-web-snyk-prs branch August 15, 2024 15:20
@docs-builder-bot
Copy link

✨ Staging URL: https://preview-mongodbmongodb.gatsbyjs.io/realm/master/

🪵 Logs

@MongoCaleb
Copy link
Collaborator

As long as this doesn't cause Snyk to run and fail (file not found), I'm OK with it.

@dacharyc
Copy link
Collaborator Author

@MongoCaleb No guarantees, but according to Snyk documentation + internal documentation, Snyk runs on a scheduled cadence determined by the org and checks all the projects for files that list dependencies. The best info I could find suggests it's looking for specific naming conventions, i.e. package.json. If it finds a file matching the naming convention, it checks the dependencies and makes PRs for vulnerabilities (configurable by the org).

So - making our dependency file not match the naming conventions it scans for suggests it just "won't find" this dependency file and therefore won't make a PR.

But changing the name doesn't "cause Snyk to run and fail" - it runs on a scheduled cadence we can't control for all of the org's repos, and changing the name means it shouldn't find anything that it thinks it should update. 🤞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krollins-mdb krollins-mdb krollins-mdb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dacharyc @docs-builder-bot @MongoCaleb @krollins-mdb