ci - install deps with "--har" flag to capture network activity #7143
Conversation
|
You can see the generated har file here (at 9.6 MB its kinda massive), it claimed to take 0 sec to upload |
|
the generated har file does not have the downloaded content which may significantly reduce the value of this. it does include lots of metadata that might be useful when working with external security teams like yarn/npm/cloudflare. we may not need this for every prerelease |
|
as an alternative we could explore capturing pcaps for releases, but they may be very large |
|
It definitely couldn't hurt to collect HAR files. I'm not entirely sure when they'd be useful, but who knows.
I agree - it would be nice to collect this only for actual releases, perhaps. CircleCI v2.1 does allow conditional steps within jobs. Maybe we could just run that step on release branches (and on |
yes, better to have something in the event of an incident, but I really would prefer to have something that includes request content so we can try to trace. maybe a tarball of |
|
there doesn't seem to be any performance impact |
|
I looked into adding logic for doing it conditionally but it was not super fun anyways I think this can be merged as is. if getting HAR always causes a problem, we can revisit |
There was a problem hiding this comment.
I really would prefer to have something that includes request content so we can try to trace. maybe a tarball of node_modules after a yarn --ignore-scripts? I wish there was a way to ignore scripts and then run them later.
I think there is - we could use the Yarn cache. It's in $(yarn cache dir), and it contains an un-archived cache of all packages downloaded during the installation. Yarn also allows installing from just the cache ("offline mode"), so we should be able to reproduce the install phase completely (including install scripts). This would mean saving a lot of files though, so we'd definitely want it to be conditional.
I think this can be merged as is. if getting HAR always causes a problem, we can revisit
Sure, sounds good 👍
Builds ready [c094475]
|
…evelop * origin/develop: (31 commits) Performance: Delivery optimized images (#7176) Add `appName` message to each locale Remove the disk store (#7170) Update @hapi/subtext as per security advisory (#7172) Add fixes for German translations (#7168) Fix recipient field of approve screen (#7171) 3box integration 2.0 (#6972) ci - metamaskbot - include links to dep-viz and all artifacts (#7155) Replace `undefined` selectedAddress with `null` (#7161) Add polyfill for AbortController (#7157) Remove redundant error logging (#7158) Set minimum Firefox version to v56.2 to support Waterfox (#7156) ci - install deps with "--har" flag to capture network activity (#7143) ci - create source-map-explorer build-artifacts (#7141) ci - build-artifacts - generate sesify-viz for inspecting deps (#7151) Publish GitHub release from master branch (#7136) fix rinkeby spelling (#7148) deps - move gulp-terser-js to devDeps test:integration - fix renamed test data file lint fix ...
Add yarn install HTTP Archive (HAR) file to
build-artifacts.The intention of this is to have some documentation on provenance of dependency sources for use in incident response.
If something weird ends up in our bundle, we should be able to clearly identify how it got there. This is intended to be one piece of that puzzle.
https://yarnpkg.com/lang/en/docs/cli/install/#toc-yarn-install-har
https://en.wikipedia.org/wiki/HAR_(file_format)
https://w3c.github.io/web-performance/specs/HAR/Overview.html