Welcome

In this repository, we'll be diving into the world of Continuous Integration. Continuous Integration, or CI, can benefit your projects and change how you work on GitHub. If you're new to Continuous Integration, you may be thinking, "What exactly is it, and do I need it in my project?"

What is CI? Why should you care?

CI can help you stick to your team’s quality standards by running tests and reporting the results on GitHub. CI tools run builds and tests, triggered by commits. The results post back to GitHub in the pull request. This reduces context switching for developers, and improves consistency for testing. The goal is fewer bugs in production and faster feedback while developing.

Choices around CI that will work best for your project depend on many factors, including:

• Programming language and application architecture
• Operating system and browsers you plan to support
• Your team’s experience and skills
• Scaling capabilities and plans for growth
• Geographic distribution of dependent systems and the people who use them
• Packaging and delivery goals

Using CI and Learning Lab

In other courses, you may have noticed that some actions take me longer to respond to than others. In this course, many of the actions will be related to builds. Those builds sometimes take longer to build, up to several minutes. Don't be concerned if I take a few minutes to respond, or if I respond too quickly. Sometimes, I'll let you know what the build will say before it finishes! Please wait for the builds to finish before moving on to your next step.

If you aren't already familiar, it may be a good idea to go through the Introduction to GitHub Learning Lab.

Step 1: Use a templated workflow

There's a bug somewhere in this repository. We'll use the practice of Continuous Integration (CI) to set up some automated testing to make it easier to discover, diagnose, and minimize scenarios like this.

Let's first introduce CI to this repository. The codebase is written with Node.js. GitHub Actions allows us to use some templated workflows for common languages and frameworks, like Node.js! Let's add it:

⌨️ Activity: Create a pull request with a templated workflow

1. Go to the Actions tab.
2. Choose the template Node.js workflow.
3. Commit the workflow to a new branch.
4. Create a pull request titled CI for Node.

I'll respond in the new pull request when I detect it has been created.

If at any point you're expecting a response and don't see one, refresh the page.

Depshield will be deprecated on Monday December 12th

Please install our new product, Sonatype Lift with advanced features

Vulnerabilities

DepShield reports that this application's usage of acorn:6.3.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

acorn:6.3.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.40.2
        └─ acorn:6.3.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of express:4.17.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

express:4.17.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.8.1
        └─ express:4.17.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of minimist:0.0.8 results in the following vulnerability(s):

• (CVSS 8.8) CWE-94: Improper Control of Generation of Code ('Code Injection')

Occurrences

minimist:0.0.8 is a transitive dependency introduced by the following direct dependency(s):

• babel-loader:8.0.6
        └─ mkdirp:0.5.1
              └─ minimist:0.0.8

• webpack-dev-server:3.8.1
        └─ chokidar:2.1.8
              └─ fsevents:1.2.9
                    └─ node-pre-gyp:0.12.0
                          └─ mkdirp:0.5.1
                                └─ minimist:0.0.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:11.1.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
• (CVSS 7.5) [CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...

Occurrences

yargs-parser:11.1.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.8.1
        └─ yargs:12.0.5
              └─ yargs-parser:11.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:3.2.2 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:3.2.2 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.40.2
        └─ micromatch:3.1.10
              └─ braces:2.3.2
                    └─ fill-range:4.0.0
                          └─ is-number:3.0.0
                                └─ kind-of:3.2.2
                    └─ snapdragon-node:2.1.1
                          └─ snapdragon-util:3.0.1
                                └─ kind-of:3.2.2
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ to-object-path:0.3.0
                                      └─ kind-of:3.2.2
                          └─ class-utils:0.3.6
                                └─ static-extend:0.1.2
                                      └─ object-copy:0.1.0
                                            └─ kind-of:3.2.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ is-accessor-descriptor:0.1.6
                                      └─ kind-of:3.2.2
                                └─ is-data-descriptor:0.1.4
                                      └─ kind-of:3.2.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of elliptic:6.5.1 results in the following vulnerability(s):

• (CVSS 5.6) CWE-190: Integer Overflow or Wraparound

Occurrences

elliptic:6.5.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.40.2
        └─ node-libs-browser:2.2.1
              └─ crypto-browserify:3.12.0
                    └─ browserify-sign:4.0.4
                          └─ elliptic:6.5.1
                    └─ create-ecdh:4.0.3
                          └─ elliptic:6.5.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of yargs-parser:13.1.1 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
• (CVSS 7.5) [CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...

Occurrences

yargs-parser:13.1.1 is a transitive dependency introduced by the following direct dependency(s):

• webpack-cli:3.3.9
        └─ yargs:13.2.4
              └─ yargs-parser:13.1.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of http-proxy:1.18.0 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

http-proxy:1.18.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.8.1
        └─ http-proxy-middleware:0.19.1
              └─ http-proxy:1.18.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of debug:2.6.9 results in the following vulnerability(s):

• (CVSS 7.5) CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Occurrences

debug:2.6.9 is a transitive dependency introduced by the following direct dependency(s):

• standard:14.3.1
        └─ eslint-plugin-import:2.18.2
              └─ eslint-import-resolver-node:0.3.2
                    └─ debug:2.6.9
              └─ eslint-module-utils:2.4.1
                    └─ debug:2.6.9
              └─ debug:2.6.9

• webpack:4.40.2
        └─ micromatch:3.1.10
              └─ extglob:2.0.4
                    └─ expand-brackets:2.1.4
                          └─ debug:2.6.9
              └─ snapdragon:0.8.2
                    └─ debug:2.6.9

• webpack-dev-server:3.8.1
        └─ compression:1.7.4
              └─ debug:2.6.9
        └─ express:4.17.1
              └─ body-parser:1.19.0
                    └─ debug:2.6.9
              └─ debug:2.6.9
              └─ finalhandler:1.1.2
                    └─ debug:2.6.9
              └─ send:0.17.1
                    └─ debug:2.6.9
        └─ portfinder:1.0.24
              └─ debug:2.6.9
        └─ serve-index:1.9.1
              └─ debug:2.6.9

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of minimist:1.2.0 results in the following vulnerability(s):

• (CVSS 8.8) CWE-94: Improper Control of Generation of Code ('Code Injection')

Occurrences

minimist:1.2.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack-dev-server:3.8.1
        └─ chokidar:2.1.8
              └─ fsevents:1.2.9
                    └─ node-pre-gyp:0.12.0
                          └─ rc:1.2.8
                                └─ minimist:1.2.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:5.1.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:5.1.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.40.2
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ define-property:0.2.5
                          └─ is-descriptor:0.1.6
                                └─ kind-of:5.1.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of kind-of:4.0.0 results in the following vulnerability(s):

• (CVSS 5.3) CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Occurrences

kind-of:4.0.0 is a transitive dependency introduced by the following direct dependency(s):

• webpack:4.40.2
        └─ micromatch:3.1.10
              └─ snapdragon:0.8.2
                    └─ base:0.11.2
                          └─ cache-base:1.0.1
                                └─ has-value:1.0.0
                                      └─ has-values:1.0.0
                                            └─ kind-of:4.0.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}