This commit changes the behavior of auditing to audit only production
dependencies.
Security checks have been failing for months due to Vue CLI dependencies
and lack of resolution from the developers. This commit makes auditing
ignore development dependencies.
The reasons include:
- Vulnerabilities in developer dependencies cause pipelines to fail
on every run.
- This is caused by dependencies such that lack resolution from the
developers. Vue developers consider `npm audit` broken design and do
not prioritize solutions. Discussions: vuejs/vue-cli#6637,
vuejs/vue-cli#6621, vuejs/vue-cli#6555, vuejs/vue-cli#6553,
vuejs/vue-cli#6523, vuejs/vue-cli#6486, vuejs/vue-cli#6632.
- Development packages are not relevant for the production payload.
- False positives create behavior of ignoring them completely instead of
taking action, which creates a security vulnerability itself.
- Failed tests are shown in a badge on README file, giving wrong picture
of security posture of users.
`npm audit --omit=dev` is used instead of `npm audit --production` which
is deprecated as of npm v8.7.0 npm/cli#4744.
This commit also removes exiting with output of `npm audit` command to
fix exiting with textual output, leading to failures.
Key features of Linux support:
- It supports python 3 scripts execution.
- It supports Flatpak and Snap installation for software
clean-up/configurations.
- Extensive documentation.
Change icon color to match the primary color of the theme (i.e.,
`#3a65ab`). The new color looks good on both dark and light surfaces
which solves #155.
Introduce SVG logo instead of PNG for better quality and scalability.
Improve icon creation. Introduce an automated script to create different
logo formats in different sizes enabling easier update of logo from
single place.
- Bump setup-node action to v2.
- Use composite actions to reuse same setting. This is preferred over
reusable templates because reusable templates are on job-level but
setting up node should be a step.
Run quality checks for every possible OS because behavior of linting
rules may change per OS (e.g. `linebreak-style` ESLint assertment varies
by Unix-like vs Windows).
Add a new check to ensure project can be built:
1. As both web and desktop applications.
Different jobs are used due to nonidentical environment/mode support.
Reference: nklayman/vue-cli-plugin-electron-builder#1627.
2. Targeting all possible modes.
The modes are configured using `--mode` but electron CLI checks
`NODE_ENV` so it's set as well.
Reference: nklayman/vue-cli-plugin-electron-builder#1626.
3. On and for different operating systems.
Fix typo "Run units" instead of "Run unit tests".
Link to specific GitHub actions page for workflow runs.
Update documentation to match new structure, and change nontransparent
icons from the diagram and consistently use imperative for actions.
Rename `release-site` , `release-git`, `release-desktop` to
`site-release` , `git-release` and `desktop-release` to not be Yoda.
TSLint deprecated and is being replaced by ESLint.
Add Vue CLI plugin (@vue/cli-plugin-eslint) using:
`vue add @vue/cli-plugin-eslint`. It also adds `.eslintrc.js` manually
for Cypress since Vue CLI for ESLint misses it (vuejs/vue-cli#6892).
Also rename `npm run lint:vue` to `npm run lint:eslint` for better
clarification.
This commit disables all rules that the current code is not compliant
with. This allows for enabling them gradually and separating commits
instead of mixing ESLint introduction with other code changes.
AirBnb is chosen as base configuration.
"Standard" is not chosen due to its poor defaults. It makes code cleaner
but harder to maintain:
- It converts interfaces to types which is harder to read.
- Removes semicolons that helps to eliminate some ambigious code.
"Airbnb" on the other hand helps for easier future changes and
maintinability:
- Includes more useful rules.
- Keeps the semicolons and interfaces.
- Enforces trailing commas that makes it easier to delete lines later on.
- Delete branches: standard, prettier.
- Seperate test pipeline into E2E, integration and unit test pipelines.
- Improve documenetation for pipelines (ci-cd.md).
- Introduce naming convention for worklow files and names.
- Center badges with multiple files on README file.
Integration tests may depend on third parties and can fail from time to
time. In some situations failing tests can be acceptable to go forward
with deployments. They should not be a requirement that blocks
deployments. They may lead to unintended lack of distributed packages as
seen in #90.
- Use same multi-lined comment convention
- Highlight that "additional information" in a bug report is optional
- Remove recommendation for pasting script in a bug report as it's too long
- Rename feature request issue file to follow same naming convention
- Document also creating a issue as a way to extend scripts
- Add reproduction steps in script bug reports
- Use names instead of commands in heading
This commit:
- Fixes broken URLs using archive.org or other references.
- Replaces tenforums.com URLs with better documentation as they tend to return HTTP status code 403 to tests and also are low quality source.
- Changes all insecure http sources to https alternatives
- Adds integration tests to check for broken URLs
- There's logic implemented for having a delay inbetween when sending requests to same domains, however it's not used as the sources can respond to totally parallelized requests.
- Run test pipeline weekly to get notified about broken URls without commits
Integration tests are executed using vue-cli-service with double quotes as following: `vue-cli-service test:unit "tests/integration/**/*.spec.ts"`. Using single quotes (mochajs/mocha#1828) works on macOS and Ubuntu but does not on Windows (tests are not found). Double quotes is the only portable way that works on all three platforms (mochajs/mocha#3136).
