Skip to content

core(vulnerable-libraries): remove audit #14194

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
connorjclark merged 9 commits into from
Aug 16, 2022
Merged

core(vulnerable-libraries): remove audit #14194

connorjclark merged 9 commits into from
Aug 16, 2022

Conversation

@connorjclark
Copy link
Collaborator

@connorjclark connorjclark commented Jul 6, 2022
edited by paulirish
Loading

Closes #3524 #14168 #14180

There are a few drawbacks to our approach in this audit:

  1. Because of our caution against sending/receiving data anywhere (we send nothing to Google services, and only to a third party bug tool Sentry in Node CLI if the user opts in), we are limited to snapshots of snyk vulnerabilities. These quickly go stale after a Lighthouse release
  2. We aren't in a good position to commonly get reliable version numbers of the libraries in use. For that, one really needs a package.json file. Our pipeline here uses JS Library Detector, but it's limited in its effectiveness.
  3. Much of the vulns we end up displaying to users are low severity IMO. Many are only exploitable in node, which just creates noise.

Accordingly, we can't justify the effort to keep this audit working. Discussing it with the team, perhaps it was never a great fit for Lighthouse core in the first place. Maybe we'll see it again as a plugin some day?

@connorjclark connorjclark requested a review from a team as a code owner July 6, 2022 19:27
@connorjclark connorjclark requested review from brendankenny and removed request for a team July 6, 2022 19:27
@paulirish
Copy link
Member

paulirish commented Jul 7, 2022
edited
Loading

Here's the most relevant threads with snyk around setting up the snyk-bot automation:

@paulirish
Copy link
Member

paulirish commented Jul 7, 2022

@amotzhoshen @carwin @aviadatsnyk We've decided to remove the snyk integration from Lighthouse. The top comment has some details. Ultimately, this decision has to do with the signal:noise ratio of the current audit, and not the recent discussions regarding changing the data pipeline.

Sorry for the news. We've appreciate working with you and appreciated you keeping that bot running. :) But yeah, you can turn it off now.

@amotzhoshen
Copy link

amotzhoshen commented Jul 11, 2022

@paulirish Thanks for the update - we'll work to stop the bot soon.
We would like to express our appreciation for this partnership and hope we will cross paths again in the future.

@connorjclark connorjclark requested review from adamraine and removed request for brendankenny August 16, 2022 17:43
@connorjclark connorjclark merged commit f31bfb8 into master Aug 16, 2022
@connorjclark connorjclark deleted the rm-snyk branch August 16, 2022 21:38
alexnj pushed a commit to alexnj/lighthouse that referenced this pull request Aug 24, 2022
@connorjclark @alexnj
core(vulnerable-libraries): remove audit (GoogleChrome#14194)
5860d7b
@adamraine adamraine mentioned this pull request Dec 14, 2022
Merged
@asimmon asimmon mentioned this pull request Feb 21, 2023
Closed
@connorjclark connorjclark mentioned this pull request Jun 3, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@adamraine adamraine adamraine approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@adamraine adamraine

Labels

waiting4reviewer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add Remediation advice to each library vuln

6 participants

@connorjclark @paulirish @amotzhoshen @adamraine @brendankenny @devtools-bot