Skip to content

Explicitly list out tsec exemption#116460

Merged
jrieken merged 2 commits intomicrosoft:masterfrom
engelsdamien:master
Feb 12, 2021
Merged

Explicitly list out tsec exemption#116460
jrieken merged 2 commits intomicrosoft:masterfrom
engelsdamien:master

Conversation

@engelsdamien
Copy link
Copy Markdown
Contributor

@engelsdamien engelsdamien commented Feb 11, 2021

This PR fixes #116459

This implies a few things:

  • tsec's output is empty so it can be included as a CI check
  • code introducing new violations need to update the exemption list,
    making it clear there is something security-sensitive about the code

@engelsdamien
Updates tsec to 0.1.3
33a92eb 
This version of tsec removes a few false positives around Workers and
adds support for restricting unsafe functions from the safevalues
package
@engelsdamien
List all tsec exemption explicitly
58eb43b 
This implies a few things:
 - tsec's output is clear so it can be included as a CI check
 - code introducing new violations need to update the exemption list,
 making it clear there is something security-sensitive about the code
@engelsdamien
Copy link
Copy Markdown
Contributor Author

engelsdamien commented Feb 11, 2021

I am not sure how I can update tsec's version with the current checks

  • if I update yarn.lock, there is a check that says I shouldn't
  • on the other hand if I remove yarn.lock all the other checks fail because nothing builds

@jrieken Could you help ?

@jrieken jrieken added this to the February 2021 milestone Feb 12, 2021
@jrieken
Copy link
Copy Markdown
Member

jrieken commented Feb 12, 2021

@engelsdamien We are now more strict wrt yarn.lock-modification. I have made the tsec update on master (ed10bfb) and things should work now

@jrieken jrieken merged commit f83e5e4 into microsoft:master Feb 12, 2021
@engelsdamien
Copy link
Copy Markdown
Contributor Author

engelsdamien commented Feb 12, 2021

No worries, thanks. Going forward, I will avoid updating packages in PRs and file an issue instead.

@github-actions github-actions bot locked and limited conversation to collaborators Mar 29, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

@jrieken jrieken

Labels

None yet

Projects

None yet

Milestone

February 2021

Development

Successfully merging this pull request may close these issues.

Clean up tsec-compile-check output

2 participants

@engelsdamien @jrieken