Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure core files are codeowned by Wallet Framework #5274

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Ensure core files are codeowned by Wallet Framework #5274

wants to merge 2 commits into from

Conversation

mcmire
Copy link
Contributor

@mcmire mcmire commented Feb 4, 2025
edited
Loading

Explanation

I noticed that when new packages are added we may not always know about it. It seems that there are many files that are not codeowned by any team and so anyone is free to update them. This is especially true of the TypeScript config files but also the README.

I've added the github-codeowner package as a dev dependency to ensure that we can stay on top of this better. You can run this command to find all unowned files:

yarn github-codeowner audit -u

If you're unsure who owns a file, you can also run:

yarn github-codeowner who <file>

And if you want to see a list of all files and who owns what, you can run:

yarn github-codeowner audit

With that context, I've gone through and granted as many files to Wallet Framework as made sense. With this change there should be far fewer unowned files than before.

References

N/A

Changelog

N/A, developer-only change.

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've highlighted breaking changes using the "BREAKING" category above as appropriate
  • I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

@mcmire
Ensure core files are codeowned by Wallet Framework
c4a06c4 
I noticed that when new packages are added we may not always know about
it. It seems that there are many files that are not codeowned by any
team and so anyone is free to update them. This is especially true of
the TypeScript config files but also the README.

I've added the `github-codeowner` package as a dev dependency to ensure
that we can stay on top of this better. You can run this command to find
all unowned files:

```
yarn github-codeowner -u
```

And if you're unsure who owns a file, you can also run:

```
yarn github-codeowner who <file>
```

With that context, I've gone through and granted as many files to Wallet
Framework as made sense.
@socket-security Socket Security
Copy link

socket-security bot commented Feb 4, 2025
edited
Loading

New dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/github-codeowners@0.2.1 filesystem, shell +1 206 kB jjmschofield

View full report↗︎

@socket-security Socket Security
Copy link

socket-security bot commented Feb 4, 2025
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/github-codeowners@0.2.1

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@mcmire mcmire marked this pull request as ready for review February 4, 2025 22:04
@mcmire mcmire requested a review from a team as a code owner February 4, 2025 22:04
@mcmire
Copy link
Contributor Author

mcmire commented Feb 4, 2025

@SocketSecurity ignore npm/github-codeowners@0.2.1

Shell access is OK, this tool runs the git command for certain operations.

@mcmire mcmire marked this pull request as draft February 4, 2025 22:17
mcmire
mcmire commented Feb 4, 2025
View reviewed changes
.github/CODEOWNERS
/packages/profile-sync-controller @MetaMask/notifications @MetaMask/identity

## Package Release related
/packages/accounts-controller/package.json @MetaMask/accounts-engineers @MetaMask/wallet-framework-engineers
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was trying to avoid from having to do this 🤔 What I've done isn't right. Maybe there is another way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mcmire