Remove yarn-audit Dependency Scanning
What does this MR do and why?
This MR follows-up the discussions in #412732 (closed).
This removes the yarn-audit (npm-audit) dependency scan configuration as this scanner is no longer maintained and redundant with the default Dependency Scanning scanner. This scanner is also not part of our public offering and this project is the only one at GitLab using it.
This was initialy introduced with !73158 (merged) with the rationale:
yarn audit
is intended to complement our existing node.js dependency scanning job based on the gemnasium analyzer. The gemnasium analyzer alerts on dependencies that are affected by an advisory in the gemnasium db, which contains mostly advisories from NVD. To also alert on advisories from https://npmjs.com/advisories,yarn audit
is added.
This is no longer relevant as NPM has been acquired by GitHub and advisories are publicly accessible at https://github.com/advisories, which is a source of data for our Dependency Scanning feature. A quick benchmark for currently active vulnerabilities also demonstrate it is not worth maintaining this tool in addition of our default offering.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.