In issue 📌 Bump serialize-javascript version in yarn.lock to overcome known vulnerability Active it is observed there are vulnerabilities in indirect dependency of some other packages we use, in which are not identified with current release setup.
It is good if we perform yarn audit on all dependencies on all active branches during commit or release to overcome this.
Run yarn audit you will get list of vulnerabilities found in the dependencies.
Add yarn audit to CICD pipeline.
Active
11.0 🔥
asset library system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Moving to phpunit which is the closest thing we have to a gitlab ci component still. We could add a job that runs on the daily runs + manual I think.
Isn't this more a Drupalorg Infra ticket? If I'm not mistaken that queue is responsible for the GitLab CI pipelines.