Add Yarn Audit CI Job
What does this MR do and why?
This MR adds a CI job that executes yarn audit
via https://gitlab.com/gitlab-org/security-products/analyzers/npm-audit.
yarn audit
is intended to complement our existing node.js dependency scanning job based on the gemnasium analyzer. The gemnasium analyzer alerts on dependencies that are affected by an advisory in the gemnasium db, which contains mostly advisories from NVD. To also alert on advisories from https://npmjs.com/advisories, yarn audit
is added.
Advisories for malicious dependencies are often not listed on NVD, but are on https://npmjs.com/advisories. A recent example is ua-parser-js
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.