From 95fa45b84942b1fe3ee67cb5c215ab7192e66229 Mon Sep 17 00:00:00 2001
From: Fred Visser <1458528+fredvisser@users.noreply.github.com>
Date: Tue, 26 Mar 2024 09:34:46 -0500
Subject: [PATCH] Add dependency review check (#1930)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Pull Request

## 🤨 Rationale

#801 highlighted that our current use of `npm audit` is brittle. This
action should elevate any issues tracked by Github to the PR.

## 👩‍💻 Implementation

- Use the example config file from
https://github.com/actions/dependency-review-action?tab=readme-ov-file
- I'll remove the Snyk integration when this PR goes in

## 🧪 Testing

This PR only highlights the packages that are changed (the Github
Actions), but since the [Github dependency
graph](https://github.com/ni/nimble/network/dependencies) sees our other
NPM dependencies, I expect this will evaluate package.json issues when a
PR has those changes in it.

I could add known bad issues to this PR to validate, or we could just
submit this and validate over time.

## ✅ Checklist

<!--- Review the list and put an x in the boxes that apply or ~~strike
through~~ around items that don't (along with an explanation). -->

- [x] I have updated the project documentation to reflect my changes or
determined no changes are needed.
---
 .github/workflows/dependency-review.yml | 17 +++++++++++++++++
 .github/workflows/main.yml              |  5 -----
 CONTRIBUTING.md                         |  6 +++---
 3 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 .github/workflows/dependency-review.yml

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000000..c6e603f450
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,17 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@v4
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@v4
+        with:
+          comment-summary-in-pr: on-failure
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 7ab04208e6..4bc5b6ef05 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -58,11 +58,6 @@ jobs:
       # only informational so swallow error codes
       - run: npm outdated || exit 0
 
-      # Audit
-      - run: npm audit --only=prod
-      # https://github.com/ni/nimble/issues/801
-      # - run: npm audit --audit-level=critical
-
       # Build
       - run: npm run build
 
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b6570fceeb..8003ae7ad3 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -79,9 +79,9 @@ When generating a change file, follow these guidelines:
 2. Write a brief but useful description with Nimble clients in mind. If making a major (breaking) change, explain what clients need to do to adopt it. The description can be plain text or [markdown](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax), with newlines specified via `\n` if needed.
 3. If you prefer not to expose your email address to the world, [configure GitHub to "Keep my email address private"](https://github.com/settings/emails) before generating the change file.
 
-### NPM audit
+### Dependency Review
 
-The repository runs [`npm audit`](https://docs.npmjs.com/cli/v8/commands/npm-audit) to prevent submissions if any dependencies have known vulnerabilities. This can occur during on a PR that introduces a new dependency version or on an unrelated PR if a vulnerability was recently reported on an existing dependency. If this check fails, our options include:
+The repository runs the [Dependency Review](https://github.com/actions/dependency-review-action) action to prevent submissions if any dependencies have known vulnerabilities. This can occur during on a PR that introduces a new dependency version or on an unrelated PR if a vulnerability was recently reported on an existing dependency. If this check fails, our options include:
 
 #### Vulnerabilities with fixes available
 
@@ -93,7 +93,7 @@ The repository runs [`npm audit`](https://docs.npmjs.com/cli/v8/commands/npm-aud
 If a fix for the vulnerability isn't available or if it isn't practical to uptake the fix, our options include:
 
 1. Remove the vulnerable dependency and find a different way to achieve the same functionality.
-2. Temporarily use a more lenient [audit level](https://docs.npmjs.com/cli/v8/commands/npm-audit#audit-level) for this repository (e.g. allowing `low` or `moderate` vulnerabilities). We should ensure there is an issue on the dependency's repository asking them to fix the vulnerability and also file an issue against this repository to track fixing the vulnerability and restoring strict auditing.
+2. Dismiss the alert in the [GitHub Security - Dependabot](https://github.com/ni/nimble/security/dependabot) dashboard, and document your rationale for doing so. We should ensure there is an issue on the dependency's repository asking them to fix the vulnerability and also file an issue against this repository to track fixing the vulnerability and restoring strict auditing.
 
 
 ### Chromatic visual component tests