0
Under review

IS there some way of having an indication that the author is using snyk

Simon Tocker 2 months ago updated 2 months ago 3

In the pcf gallery itself, I found a control and ran it thru snyk and a low level vunerability was identified,

it has an easy fix too, update the version.

Im new to this, so asking,   is there some way of knowing that a project is registered with an automated dependency checking, and calling out to it to determine the current status of the components you are displaying ?

If the author doesnt do this, is there a way for you to regsiter all open source components with say snyk and check it yourselves, automating notifications to the author to get on with fixing when detected and for you to display the message on the site that this component needs attention and possibly notify users that downloaded a component from yourselves that what they have needs updating//checking.

Answer

Answer
Under review

it's definitely an interesting topic, if I may add, it should be considered in all kind of applications and not only regarding PCF controls. Being PCF an ecosystem deeply connected to npm I understand your concerns. I quickly checked and looks like there are other players in this category (at least snyk is open source). Thanks for raising the attention on this topic, I will evaluate if an indicator can be a solution.

Answer
Under review

it's definitely an interesting topic, if I may add, it should be considered in all kind of applications and not only regarding PCF controls. Being PCF an ecosystem deeply connected to npm I understand your concerns. I quickly checked and looks like there are other players in this category (at least snyk is open source). Thanks for raising the attention on this topic, I will evaluate if an indicator can be a solution.

If the projects come from GitHub, is it possible to use Dependabot?

https://github.com/dependabot

So I'm not part of the pcf team jsut the guy who suggested it, 


but I think the issue here is the owners of the projects that list here are not using tools like this, the project in github is their responsibility and in some cases they are abandoned or they just don't know to do this. 


Its why I suggested indicators, this warns users of the components the current state at least. 


Ive spoke with folk in ms about this and they are of a similar opinion to myself that the best way to utilise pcf components is to fork it and do all of those checks and tasks yourself including a full code review of the component as ultimately you are putting 3rd party code in your tenant. 


Having such an indicator is also a way to encourage authors to do these tasks and do regular updates.