Skip to content

Explicitly list out tsec exemption #116460

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jrieken merged 2 commits into from
Feb 12, 2021
Merged

Explicitly list out tsec exemption #116460

jrieken merged 2 commits into from
Feb 12, 2021

Conversation

@engelsdamien
Copy link
Contributor

@engelsdamien engelsdamien commented Feb 11, 2021

This PR fixes #116459

This implies a few things:

  • tsec's output is empty so it can be included as a CI check
  • code introducing new violations need to update the exemption list,
    making it clear there is something security-sensitive about the code

@engelsdamien
Updates tsec to 0.1.3
33a92eb 
This version of tsec removes a few false positives around Workers and
adds support for restricting unsafe functions from the safevalues
package
@engelsdamien
List all tsec exemption explicitly
58eb43b 
This implies a few things:
 - tsec's output is clear so it can be included as a CI check
 - code introducing new violations need to update the exemption list,
 making it clear there is something security-sensitive about the code
@engelsdamien
Copy link
Contributor Author

engelsdamien commented Feb 11, 2021

I am not sure how I can update tsec's version with the current checks

  • if I update yarn.lock, there is a check that says I shouldn't
  • on the other hand if I remove yarn.lock all the other checks fail because nothing builds

@jrieken Could you help ?

@jrieken jrieken added this to the February 2021 milestone Feb 12, 2021
@jrieken
Copy link
Member

jrieken commented Feb 12, 2021

@engelsdamien We are now more strict wrt yarn.lock-modification. I have made the tsec update on master (ed10bfb) and things should work now

@jrieken jrieken merged commit f83e5e4 into microsoft:master Feb 12, 2021
@engelsdamien
Copy link
Contributor Author

engelsdamien commented Feb 12, 2021

No worries, thanks. Going forward, I will avoid updating packages in PRs and file an issue instead.

@github-actions github-actions bot locked and limited conversation to collaborators Mar 29, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@jrieken jrieken

Labels

None yet

Projects

None yet

Milestone

February 2021

Development

Successfully merging this pull request may close these issues.

Clean up tsec-compile-check output

2 participants

@engelsdamien @jrieken