Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixture.key file causing Aquasec scan failures #5781

Closed
Leonas-Komaras opened this issue Oct 4, 2021 · 1 comment · Fixed by #5799
Closed

fixture.key file causing Aquasec scan failures #5781

Leonas-Komaras opened this issue Oct 4, 2021 · 1 comment · Fixed by #5799
Assignees
@glasser
Labels
size/small Estimated to take LESS THAN A DAY

Comments

@Leonas-Komaras
Copy link

Hello,

as of version 3.3.0 of apollo-server-core our Aquasec scans complain on sensitive data in our dependencies.
According to scan report issue is with packages/apollo-server-core/src/plugin/drainHttpServer/tests/stoppable/fixture.key file being part of the npm module.

Could this file (or complete tests) be excluded from the module?

Thank you.
@glasser
Copy link
Member

glasser commented Oct 5, 2021

This seems reasonable. I want to check with some team folks to see if there's any reason not to add src/**/__tests__/** to all npmignore files in this repo.

@glasser glasser self-assigned this Oct 5, 2021
@glasser glasser added the 2021-10 label Oct 5, 2021
glasser added a commit that referenced this issue Oct 8, 2021
@glasser
npmignore: Don't include the source of tests
d94b7b4 
We know of no reason that including the source of tests in built npm
packages would be helpful, and we've heard reports that including the
RSA private key fixture as we do in apollo-server-core can trigger
security scans.

Change how we drop tests from "dist" to drop the whole test directory in
case some other files sneak in there.

Fixes #5781.
@glasser glasser mentioned this issue Oct 8, 2021
Merged
glasser added a commit that referenced this issue Oct 8, 2021
@glasser
npmignore: Don't include the source of tests
71ce883 
We know of no reason that including the source of tests in built npm
packages would be helpful, and we've heard reports that including the
RSA private key fixture as we do in apollo-server-core can trigger
security scans.

Change how we drop tests from "dist" to drop the whole test directory in
case some other files sneak in there.

Add a comment to the one npmignore file that differs from the others.

Fixes #5781.
glasser added a commit that referenced this issue Oct 8, 2021
@glasser
npmignore: Don't include the source of tests
669c710 
We know of no reason that including the source of tests in built npm
packages would be helpful, and we've heard reports that including the
RSA private key fixture as we do in apollo-server-core can trigger
security scans.

Change how we drop tests from "dist" to drop the whole test directory in
case some other files sneak in there.

Add a comment to the one npmignore file that differs from the others.

Fixes #5781.
glasser added a commit that referenced this issue Oct 8, 2021
@glasser
npmignore: Don't include the source of tests
fd3462c 
We know of no reason that including the source of tests in built npm
packages would be helpful, and we've heard reports that including the
RSA private key fixture as we do in apollo-server-core can trigger
security scans.

Change how we drop tests from "dist" to drop the whole test directory in
case some other files sneak in there.

Add a comment to the one npmignore file that differs from the others.

Fixes #5781.
glasser added a commit that referenced this issue Oct 8, 2021
@glasser
npmignore: Don't include the source of tests (#5799)
61695f1 
We know of no reason that including the source of tests in built npm
packages would be helpful, and we've heard reports that including the
RSA private key fixture as we do in apollo-server-core can trigger
security scans.

Change how we drop tests from "dist" to drop the whole test directory in
case some other files sneak in there.

Add a comment to the one npmignore file that differs from the others.

Fixes #5781.
@hwillson hwillson added the size/small Estimated to take LESS THAN A DAY label Oct 13, 2021
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 20, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@glasser glasser

Labels
size/small Estimated to take LESS THAN A DAY
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

npmignore: Don't include the source of tests apollographql/apollo-server
3 participants
@glasser @hwillson @Leonas-Komaras