feat: optional skip-dev yarn support

Author: WhatIfWeDigDeeper

lib/audit.js

@@ -14,10 +14,8 @@ const PARTIAL_RETRY_ERROR_MSG = {
 
 function audit(pm, config, reporter) {
   const auditor = pm === "npm" ? npmAuditer : yarnAuditer;
-  const {
-    "pass-enoaudit": passENoAudit,
-    "retry-count": maxRetryCount,
-  } = config;
+  const { "pass-enoaudit": passENoAudit, "retry-count": maxRetryCount } =
+    config;
 
   async function run(attempt = 0) {
     try {

lib/yarn-auditer.js

@@ -49,11 +49,18 @@ function yarnAuditSupportsRegistry(yarnVersion) {
  * `registry`: the registry to resolve packages by name and version.
  * `show-not-found`: show allowlisted advisories that are not found.
  * `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
+ * `skip-dev`: skip devDependencies, defaults to false
  * `_yarn`: a path to yarn, uses yarn from PATH if not specified.
  * @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
  */
 async function audit(config, reporter = reportAudit) {
-  const { levels, registry, "report-type": reportType, _yarn } = config;
+  const {
+    levels,
+    registry,
+    "report-type": reportType,
+    "skip-dev": skipDev,
+    _yarn,
+  } = config;
   const yarnExec = _yarn || "yarn";
   let missingLockFile = false;
   const model = new Model(config);
@@ -170,8 +177,10 @@ async function audit(config, reporter = reportAudit) {
   }
   const options = { cwd: config.directory };
   const args = isYarnClassic
-    ? ["audit", "--json"]
-    : ["npm", "audit", "--all", "--recursive", "--json"];
+    ? ["audit", "--json"].concat(skipDev ? ["--groups", "dependencies"] : [])
+    : ["npm", "audit", "--recursive", "--json"].concat(
+        skipDev ? ["--environment", "production"] : ["--all"]
+      );
   if (registry) {
     const auditRegistrySupported = yarnAuditSupportsRegistry(yarnVersion);
     if (auditRegistrySupported) {

test/yarn-auditer.js

@@ -21,6 +21,7 @@ function config(additions) {
     directory: "./",
     registry: undefined,
     "pass-enoaudit": false,
+    "skip-dev": false,
   };
   return { ...defaultConfig, ...additions };
 }
@@ -255,6 +256,19 @@ describe("yarn-auditer", function testYarnAuditer() {
       );
     }
   );
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", async () => {
+    const summary = await audit(
+      config({
+        directory: testDir(
+          canRunYarnBerry ? "yarn-berry-skip-dev" : "yarn-skip-dev"
+        ),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
   // it('prints unexpected https://registry.yarnpkg.com 503 error message', () => {
   //   const directory = testDir('yarn-503');
   //   const errorMessagePath = path.resolve(directory, 'error-message');

test/yarn-berry-skip-dev/.yarn/install-state.gz

@@ -0,0 +1,3 @@
+// Rather than have a bunch of yarn-berry.cjs of different versions,
+// we can specify a single yarn-berry.cjs and require the file for each package.
+module.exports = require("../../../yarn-berry.cjs");

test/yarn-berry-skip-dev/.yarn/releases/yarn-berry.cjs

@@ -0,0 +1 @@
+yarnPath: ".yarn/releases/yarn-berry.cjs"

test/yarn-berry-skip-dev/.yarnrc.yml

@@ -0,0 +1,13 @@
+# Yarn Berry tests
+
+When creating Yarn Berry tests, there are several files and folders that may generate that are not necessary for auditing using `yarn npm audit --all --recursive --json`.
+
+- .pnp.js
+
+- .yarn/cache
+
+Consider manually deleting them before committing.
+
+Also, the `.yarn/releases/yarn-berry.cjs` file in each project re-exports the `yarn-berry.cjs` file at the root of tests.
+Re-exporting the file reduces duplication and version mismatching for tests.
+Currently, this project is set up to use the latest version v2.4.0 (at the time of writing this, Dec 6th, 2020).

test/yarn-berry-skip-dev/README.md

@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-yarn-berry-skip-dev",
+  "description": "Test package.json with critical devDependency",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-berry-skip-dev/package.json

@@ -0,0 +1,29 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-berry-skip-dev@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-berry-skip-dev@workspace:."
+  dependencies:
+    node-noop: 1.0.0
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"node-noop@npm:1.0.0":
+  version: 1.0.0
+  resolution: "node-noop@npm:1.0.0"
+  checksum: 33331046468af72c22553cee2b754851897fa26c36393017ad3dcfbcd28b705e573a71ae7abe18a8f357fa6fd9a3b3ab3aefb52f373b368ec4a5be40b530e269
+  languageName: node
+  linkType: hard
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 5c974432a245cad8ecf3c10529fc1bce29118ee73cb71dd89bbe1dc89b453b944edd4a5e42aa56915a27d5419c7b29bfb4782f1fc336a863452d8051ec3e00af
+  languageName: node
+  linkType: hard

test/yarn-berry-skip-dev/yarn.lock

@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-yarn-skip-dev",
+  "description": "Test package.json with critical devDependency",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-skip-dev/package.json

@@ -0,0 +1,13 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+[email protected]:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/node-noop/-/node-noop-1.0.0.tgz#47a3e7d80cffaa6458364bd22ed85cab3307be79"
+  integrity sha1-R6Pn2Az/qmRYNkvSLthcqzMHvnk=
+
+[email protected]:
+  version "0.0.5"
+  resolved "https://registry.yarnpkg.com/open/-/open-0.0.5.tgz#42c3e18ec95466b6bf0dc42f3a2945c3f0cad8fc"
+  integrity sha1-QsPhjslUZra/DcQvOilFw/DK2Pw=