Skip to content

Commit 9701fb8

Browse files
authored
Merge pull request #186 from WhatIfWeDigDeeper/feature-skip-dev-dependencies
Feature: optional `--skip-dev` flag to exclude devDependencies
2 parents 1fcfae9 + 4074095 commit 9701fb8

21 files changed

+213
-5
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -103,6 +103,7 @@ scripts:
103103
| | --report-type | Format for the audit report results [_choices_: `important`, `summary`, `full`] (default `important`) |
104104
| | --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default `5`) |
105105
| | --config | Path to JSON config file |
106+
| | --skip-dev | Skip auditing devDependencies (default `false`) |
106107
| | --advisories | _[DEPRECATED]_ Vulnerable advisory ids to whitelist from preventing integration (default `none`) |
107108
| -w | --whitelist | _[DEPRECATED]_ Vulnerable modules to whitelist from preventing integration (default `none`) |
108109
| | --path-whitelist | _[DEPRECATED]_ Vulnerable module paths to whitelist from preventing integration (default `none`) |
@@ -129,6 +130,7 @@ A config file can manage auditing preferences `audit-ci`. The config file's keys
129130
"show-not-found": <boolean>, // [Optional] defaults `true`
130131
"registry": <string>, // [Optional] defaults `undefined`
131132
"retry-count": <number>, // [Optional] defaults 5
133+
"skip-dev": <boolean>, // [Optional] defaults `false`
132134
"advisories": <number[]>, // [Deprecated, optional] defaults `[]`
133135
"path-whitelist": <string[]>, // [Deprecated, optional] defaults `[]`
134136
"whitelist": <string[]> // [Deprecated, optional] defaults `[]`

lib/audit-ci.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,11 @@ const { argv } = yargs
100100
"Pass if no audit is performed due to the registry returning ENOAUDIT",
101101
type: "boolean",
102102
},
103+
"skip-dev": {
104+
default: false,
105+
describe: "Skip devDependencies",
106+
type: "boolean",
107+
},
103108
advisories: {
104109
default: [],
105110
describe:

lib/npm-auditer.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ async function runNpmAudit(config) {
2020
if (registry) {
2121
args.push("--registry", registry);
2222
}
23+
if (config["skip-dev"]) {
24+
args.push("--production");
25+
}
2326
const options = { cwd: directory };
2427
await runProgram(npmExec, args, options, outListener, errListener);
2528
if (stderrBuffer.length) {
@@ -85,6 +88,7 @@ function report(parsedOutput, config, reporter) {
8588
* `registry`: the registry to resolve packages by name and version.
8689
* `show-not-found`: show allowlisted advisories that are not found.
8790
* `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
91+
* `skip-dev`: skip devDependencies, defaults to false
8892
* `_npm`: a path to npm, uses npm from PATH if not specified.
8993
* @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
9094
*/

lib/yarn-auditer.js

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -49,11 +49,18 @@ function yarnAuditSupportsRegistry(yarnVersion) {
4949
* `registry`: the registry to resolve packages by name and version.
5050
* `show-not-found`: show allowlisted advisories that are not found.
5151
* `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
52+
* `skip-dev`: skip devDependencies, defaults to false
5253
* `_yarn`: a path to yarn, uses yarn from PATH if not specified.
5354
* @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
5455
*/
5556
async function audit(config, reporter = reportAudit) {
56-
const { levels, registry, "report-type": reportType, _yarn } = config;
57+
const {
58+
levels,
59+
registry,
60+
"report-type": reportType,
61+
"skip-dev": skipDev,
62+
_yarn,
63+
} = config;
5764
const yarnExec = _yarn || "yarn";
5865
let missingLockFile = false;
5966
const model = new Model(config);
@@ -170,8 +177,10 @@ async function audit(config, reporter = reportAudit) {
170177
}
171178
const options = { cwd: config.directory };
172179
const args = isYarnClassic
173-
? ["audit", "--json"]
174-
: ["npm", "audit", "--all", "--recursive", "--json"];
180+
? ["audit", "--json"].concat(skipDev ? ["--groups", "dependencies"] : [])
181+
: ["npm", "audit", "--recursive", "--json"].concat(
182+
skipDev ? ["--environment", "production"] : ["--all"]
183+
);
175184
if (registry) {
176185
const auditRegistrySupported = yarnAuditSupportsRegistry(yarnVersion);
177186
if (auditRegistrySupported) {

package-lock.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "audit-ci",
3-
"version": "4.0.0",
3+
"version": "4.1.0",
44
"description": "Audits npm and yarn projects in CI environments",
55
"license": "Apache-2.0",
66
"main": "./lib/audit-ci.js",

test/npm-auditer.js

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm-output.json");
99
const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm-output.json");
1010
const reportNpmLow = require("./npm-low/npm-output.json");
1111
const reportNpmNone = require("./npm-none/npm-output.json");
12+
const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
1213

1314
// To modify what slow times are, need to use
1415
// function() {} instead of () => {}
@@ -265,6 +266,18 @@ describe("npm-auditer", function testNpmAuditer() {
265266
done();
266267
});
267268
});
269+
it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
270+
const summary = report(
271+
reportNpmSkipDev,
272+
config({
273+
directory: testDir("npm-skip-dev"),
274+
"skip-dev": true,
275+
"report-type": "important",
276+
}),
277+
(_summary) => _summary
278+
);
279+
expect(summary).to.eql(summaryWithDefault());
280+
});
268281
// it("fails errors with code ENOAUDIT on a valid site with no audit", (done) => {
269282
// audit(
270283
// config({

test/npm-skip-dev/npm-output.json

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{
2+
"actions": [],
3+
"advisories": {},
4+
"muted": [],
5+
"metadata": {
6+
"vulnerabilities": {
7+
"info": 0,
8+
"low": 0,
9+
"moderate": 0,
10+
"high": 0,
11+
"critical": 0
12+
},
13+
"dependencies": 1,
14+
"devDependencies": 0,
15+
"optionalDependencies": 0,
16+
"totalDependencies": 1
17+
},
18+
"runId": "cf8267d6-1ce5-44eb-9320-003467502021"
19+
}

test/npm-skip-dev/npm7-output.json

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
{
2+
"auditReportVersion": 2,
3+
"vulnerabilities": {},
4+
"metadata": {
5+
"vulnerabilities": {
6+
"info": 0,
7+
"low": 0,
8+
"moderate": 0,
9+
"high": 0,
10+
"critical": 0,
11+
"total": 0
12+
},
13+
"dependencies": {
14+
"prod": 2,
15+
"dev": 1,
16+
"optional": 0,
17+
"peer": 0,
18+
"peerOptional": 0,
19+
"total": 2
20+
}
21+
}
22+
}

test/npm-skip-dev/package-lock.json

Lines changed: 18 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

test/npm-skip-dev/package.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"name": "audit-ci-npm-skip-dev",
3+
"description": "Test package.json with critical vulnerability in devDependencies",
4+
"dependencies": {
5+
"node-noop": "1.0.0"
6+
},
7+
"devDependencies": {
8+
"open": "0.0.5"
9+
}
10+
}

test/npm7-auditer.js

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm7-output.json");
99
const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm7-output.json");
1010
const reportNpmLow = require("./npm-low/npm7-output.json");
1111
const reportNpmNone = require("./npm-none/npm7-output.json");
12+
const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
1213

1314
describe("npm7-auditer", function testNpm7Auditer() {
1415
it("prints full report with critical severity", () => {
@@ -263,4 +264,16 @@ describe("npm7-auditer", function testNpm7Auditer() {
263264
done();
264265
});
265266
});
267+
it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
268+
const summary = report(
269+
reportNpmSkipDev,
270+
config({
271+
directory: testDir("npm-skip-dev"),
272+
"skip-dev": true,
273+
"report-type": "important",
274+
}),
275+
(_summary) => _summary
276+
);
277+
expect(summary).to.eql(summaryWithDefault());
278+
});
266279
});

test/yarn-auditer.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ function config(additions) {
2121
directory: "./",
2222
registry: undefined,
2323
"pass-enoaudit": false,
24+
"skip-dev": false,
2425
};
2526
return { ...defaultConfig, ...additions };
2627
}
@@ -255,6 +256,19 @@ describe("yarn-auditer", function testYarnAuditer() {
255256
);
256257
}
257258
);
259+
it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", async () => {
260+
const summary = await audit(
261+
config({
262+
directory: testDir(
263+
canRunYarnBerry ? "yarn-berry-skip-dev" : "yarn-skip-dev"
264+
),
265+
"skip-dev": true,
266+
"report-type": "important",
267+
}),
268+
(_summary) => _summary
269+
);
270+
expect(summary).to.eql(summaryWithDefault());
271+
});
258272
// it('prints unexpected https://registry.yarnpkg.com 503 error message', () => {
259273
// const directory = testDir('yarn-503');
260274
// const errorMessagePath = path.resolve(directory, 'error-message');
1.17 KB
Binary file not shown.
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
// Rather than have a bunch of yarn-berry.cjs of different versions,
2+
// we can specify a single yarn-berry.cjs and require the file for each package.
3+
module.exports = require("../../../yarn-berry.cjs");

test/yarn-berry-skip-dev/.yarnrc.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
yarnPath: ".yarn/releases/yarn-berry.cjs"

test/yarn-berry-skip-dev/README.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Yarn Berry tests
2+
3+
When creating Yarn Berry tests, there are several files and folders that may generate that are not necessary for auditing using `yarn npm audit --all --recursive --json`.
4+
5+
- .pnp.js
6+
7+
- .yarn/cache
8+
9+
Consider manually deleting them before committing.
10+
11+
Also, the `.yarn/releases/yarn-berry.cjs` file in each project re-exports the `yarn-berry.cjs` file at the root of tests.
12+
Re-exporting the file reduces duplication and version mismatching for tests.
13+
Currently, this project is set up to use the latest version v2.4.0 (at the time of writing this, Dec 6th, 2020).

test/yarn-berry-skip-dev/package.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"name": "audit-ci-yarn-berry-skip-dev",
3+
"description": "Test package.json with critical devDependency",
4+
"dependencies": {
5+
"node-noop": "1.0.0"
6+
},
7+
"devDependencies": {
8+
"open": "0.0.5"
9+
}
10+
}

test/yarn-berry-skip-dev/yarn.lock

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# This file is generated by running "yarn install" inside your project.
2+
# Manual changes might be lost - proceed with caution!
3+
4+
__metadata:
5+
version: 4
6+
cacheKey: 7
7+
8+
"audit-ci-yarn-berry-skip-dev@workspace:.":
9+
version: 0.0.0-use.local
10+
resolution: "audit-ci-yarn-berry-skip-dev@workspace:."
11+
dependencies:
12+
node-noop: 1.0.0
13+
open: 0.0.5
14+
languageName: unknown
15+
linkType: soft
16+
17+
"node-noop@npm:1.0.0":
18+
version: 1.0.0
19+
resolution: "node-noop@npm:1.0.0"
20+
checksum: 33331046468af72c22553cee2b754851897fa26c36393017ad3dcfbcd28b705e573a71ae7abe18a8f357fa6fd9a3b3ab3aefb52f373b368ec4a5be40b530e269
21+
languageName: node
22+
linkType: hard
23+
24+
"open@npm:0.0.5":
25+
version: 0.0.5
26+
resolution: "open@npm:0.0.5"
27+
checksum: 5c974432a245cad8ecf3c10529fc1bce29118ee73cb71dd89bbe1dc89b453b944edd4a5e42aa56915a27d5419c7b29bfb4782f1fc336a863452d8051ec3e00af
28+
languageName: node
29+
linkType: hard

test/yarn-skip-dev/package.json

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{
2+
"name": "audit-ci-yarn-skip-dev",
3+
"description": "Test package.json with critical devDependency",
4+
"dependencies": {
5+
"node-noop": "1.0.0"
6+
},
7+
"devDependencies": {
8+
"open": "0.0.5"
9+
}
10+
}

test/yarn-skip-dev/yarn.lock

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
2+
# yarn lockfile v1
3+
4+
5+
6+
version "1.0.0"
7+
resolved "https://registry.yarnpkg.com/node-noop/-/node-noop-1.0.0.tgz#47a3e7d80cffaa6458364bd22ed85cab3307be79"
8+
integrity sha1-R6Pn2Az/qmRYNkvSLthcqzMHvnk=
9+
10+
11+
version "0.0.5"
12+
resolved "https://registry.yarnpkg.com/open/-/open-0.0.5.tgz#42c3e18ec95466b6bf0dc42f3a2945c3f0cad8fc"
13+
integrity sha1-QsPhjslUZra/DcQvOilFw/DK2Pw=

0 commit comments

Comments
 (0)