Skip to content

Enable tsec as language service plugin#108682

Merged
jrieken merged 2 commits intomicrosoft:masterfrom
Siegrift:enable-tsec-language-service-plugin
Nov 9, 2020
Merged

Enable tsec as language service plugin#108682
jrieken merged 2 commits intomicrosoft:masterfrom
Siegrift:enable-tsec-language-service-plugin

Conversation

@Siegrift
Copy link
Contributor

@Siegrift Siegrift commented Oct 14, 2020
edited
Loading

This PR adds a tsec as language service plugin which enables showing potential security violations directly in the IDE.

There was one thing I needed to do (and not sure if it's just my issue) was that I needed to explicitly update tsec dependency, although there was no change in yarn.lock (it was probably just to invalidate the cache). Anyway, I recommend doing an explicit update of tsec using yarn upgrade tsec --latest.

@Siegrift Siegrift mentioned this pull request Oct 14, 2020
Closed
@chrmarti chrmarti assigned chrmarti and jrieken and unassigned chrmarti Oct 15, 2020
@jrieken jrieken added this to the October 2020 milestone Oct 15, 2020
@jrieken
Copy link
Member

jrieken commented Oct 26, 2020

@Siegrift The changes look good but tsec is now reporting too many errors 😄 Async imports are quite popular in our codebase and we have no plans of changing that. Would it be possible to teach tsec more than one error code and to able to suppress certain error codes (instead of files)?

@jrieken jrieken modified the milestones: October 2020, November 2020 Oct 26, 2020
@koto koto mentioned this pull request Oct 26, 2020
Closed
@koto
Copy link

koto commented Oct 26, 2020
edited
Loading

@Siegrift The changes look good but tsec is now reporting too many errors 😄 Async imports are quite popular in our codebase and we have no plans of changing that. Would it be possible to teach tsec more than one error code and to able to suppress certain error codes (instead of files)?

I filed google/tsec#15.

@Siegrift - as a workaround, it should be possible soon to silence disable a specific conformance rule, no?

@Siegrift
Copy link
Contributor Author

Siegrift commented Oct 28, 2020

@jrieken @koto We have removed the rule from tsec. The changes are now available on latest master. We want it only internally and it was published by mistake :).

As Koto mentioned, we would like to improve the allowlist/suppression capabilities in the future.

@jrieken jrieken merged commit d404999 into microsoft:master Nov 9, 2020
@jrieken jrieken added the engineering VS Code - Build / issue tracking / etc. label Nov 9, 2020
@jrieken
Copy link
Member

jrieken commented Nov 27, 2020

fyi - we have reverted the changes from this PR as there have been too many "annoying errors". I'd say this is largely due to google/tsec#15. However, I am also unsure what the best way is to write code that support the lack of trusted types, e.g we assume that (parts of) our code don't always run in environments where trusted types are available/polyfiled and I am afraid we will always have errors for that

@github-actions github-actions bot locked and limited conversation to collaborators Dec 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jrieken jrieken jrieken approved these changes

Assignees

@jrieken jrieken

Labels

engineering VS Code - Build / issue tracking / etc.

Projects

None yet

Milestone

November 2020

Development

Successfully merging this pull request may close these issues.

4 participants

@Siegrift @jrieken @koto @chrmarti