Merge pull request #186 from WhatIfWeDigDeeper/feature-skip-dev-dependencies

Feature: optional `--skip-dev` flag to exclude devDependencies

Author: quinnturner

README.md

@@ -103,6 +103,7 @@ scripts:
 |      | --report-type     | Format for the audit report results [_choices_: `important`, `summary`, `full`] (default `important`) |
 |      | --retry-count     | The number of attempts audit-ci calls an unavailable registry before failing (default `5`)            |
 |      | --config          | Path to JSON config file                                                                              |
+|      | --skip-dev        | Skip auditing devDependencies (default `false`)                                                       |
 |      | --advisories      | _[DEPRECATED]_ Vulnerable advisory ids to whitelist from preventing integration (default `none`)      |
 | -w   | --whitelist       | _[DEPRECATED]_ Vulnerable modules to whitelist from preventing integration (default `none`)           |
 |      | --path-whitelist  | _[DEPRECATED]_ Vulnerable module paths to whitelist from preventing integration (default `none`)      |
@@ -129,6 +130,7 @@ A config file can manage auditing preferences `audit-ci`. The config file's keys
   "show-not-found": <boolean>, // [Optional] defaults `true`
   "registry": <string>, // [Optional] defaults `undefined`
   "retry-count": <number>, // [Optional] defaults 5
+  "skip-dev": <boolean>, // [Optional] defaults `false`
   "advisories": <number[]>, // [Deprecated, optional] defaults `[]`
   "path-whitelist": <string[]>, // [Deprecated, optional] defaults `[]`
   "whitelist": <string[]> // [Deprecated, optional] defaults `[]`

lib/audit-ci.js

@@ -100,6 +100,11 @@ const { argv } = yargs
         "Pass if no audit is performed due to the registry returning ENOAUDIT",
       type: "boolean",
     },
+    "skip-dev": {
+      default: false,
+      describe: "Skip devDependencies",
+      type: "boolean",
+    },
     advisories: {
       default: [],
       describe:

lib/npm-auditer.js

@@ -20,6 +20,9 @@ async function runNpmAudit(config) {
   if (registry) {
     args.push("--registry", registry);
   }
+  if (config["skip-dev"]) {
+    args.push("--production");
+  }
   const options = { cwd: directory };
   await runProgram(npmExec, args, options, outListener, errListener);
   if (stderrBuffer.length) {
@@ -85,6 +88,7 @@ function report(parsedOutput, config, reporter) {
  * `registry`: the registry to resolve packages by name and version.
  * `show-not-found`: show allowlisted advisories that are not found.
  * `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
+ * `skip-dev`: skip devDependencies, defaults to false
  * `_npm`: a path to npm, uses npm from PATH if not specified.
  * @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
  */

lib/yarn-auditer.js

@@ -49,11 +49,18 @@ function yarnAuditSupportsRegistry(yarnVersion) {
  * `registry`: the registry to resolve packages by name and version.
  * `show-not-found`: show allowlisted advisories that are not found.
  * `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
+ * `skip-dev`: skip devDependencies, defaults to false
  * `_yarn`: a path to yarn, uses yarn from PATH if not specified.
  * @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
  */
 async function audit(config, reporter = reportAudit) {
-  const { levels, registry, "report-type": reportType, _yarn } = config;
+  const {
+    levels,
+    registry,
+    "report-type": reportType,
+    "skip-dev": skipDev,
+    _yarn,
+  } = config;
   const yarnExec = _yarn || "yarn";
   let missingLockFile = false;
   const model = new Model(config);
@@ -170,8 +177,10 @@ async function audit(config, reporter = reportAudit) {
   }
   const options = { cwd: config.directory };
   const args = isYarnClassic
-    ? ["audit", "--json"]
-    : ["npm", "audit", "--all", "--recursive", "--json"];
+    ? ["audit", "--json"].concat(skipDev ? ["--groups", "dependencies"] : [])
+    : ["npm", "audit", "--recursive", "--json"].concat(
+        skipDev ? ["--environment", "production"] : ["--all"]
+      );
   if (registry) {
     const auditRegistrySupported = yarnAuditSupportsRegistry(yarnVersion);
     if (auditRegistrySupported) {

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "audit-ci",
-  "version": "4.0.0",
+  "version": "4.1.0",
   "description": "Audits npm and yarn projects in CI environments",
   "license": "Apache-2.0",
   "main": "./lib/audit-ci.js",

package.json

@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm-output.json");
 const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm-output.json");
 const reportNpmLow = require("./npm-low/npm-output.json");
 const reportNpmNone = require("./npm-none/npm-output.json");
+const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
 
 // To modify what slow times are, need to use
 // function() {} instead of () => {}
@@ -265,6 +266,18 @@ describe("npm-auditer", function testNpmAuditer() {
       done();
     });
   });
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
+    const summary = report(
+      reportNpmSkipDev,
+      config({
+        directory: testDir("npm-skip-dev"),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
   // it("fails errors with code ENOAUDIT on a valid site with no audit", (done) => {
   //   audit(
   //     config({

test/npm-auditer.js

@@ -0,0 +1,19 @@
+{
+  "actions": [],
+  "advisories": {},
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 1,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 1
+  },
+  "runId": "cf8267d6-1ce5-44eb-9320-003467502021"
+}

test/npm-skip-dev/npm-output.json

@@ -0,0 +1,22 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {},
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0,
+      "total": 0
+    },
+    "dependencies": {
+      "prod": 2,
+      "dev": 1,
+      "optional": 0,
+      "peer": 0,
+      "peerOptional": 0,
+      "total": 2
+    }
+  }
+}

test/npm-skip-dev/npm7-output.json

@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-npm-skip-dev",
+  "description": "Test package.json with critical vulnerability in devDependencies",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}

test/npm-skip-dev/package-lock.json

@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm7-output.json");
 const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm7-output.json");
 const reportNpmLow = require("./npm-low/npm7-output.json");
 const reportNpmNone = require("./npm-none/npm7-output.json");
+const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
 
 describe("npm7-auditer", function testNpm7Auditer() {
   it("prints full report with critical severity", () => {
@@ -263,4 +264,16 @@ describe("npm7-auditer", function testNpm7Auditer() {
       done();
     });
   });
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
+    const summary = report(
+      reportNpmSkipDev,
+      config({
+        directory: testDir("npm-skip-dev"),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
 });

test/npm-skip-dev/package.json

@@ -21,6 +21,7 @@ function config(additions) {
     directory: "./",
     registry: undefined,
     "pass-enoaudit": false,
+    "skip-dev": false,
   };
   return { ...defaultConfig, ...additions };
 }
@@ -255,6 +256,19 @@ describe("yarn-auditer", function testYarnAuditer() {
       );
     }
   );
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", async () => {
+    const summary = await audit(
+      config({
+        directory: testDir(
+          canRunYarnBerry ? "yarn-berry-skip-dev" : "yarn-skip-dev"
+        ),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
   // it('prints unexpected https://registry.yarnpkg.com 503 error message', () => {
   //   const directory = testDir('yarn-503');
   //   const errorMessagePath = path.resolve(directory, 'error-message');

test/npm7-auditer.js

@@ -0,0 +1,3 @@
+// Rather than have a bunch of yarn-berry.cjs of different versions,
+// we can specify a single yarn-berry.cjs and require the file for each package.
+module.exports = require("../../../yarn-berry.cjs");

test/yarn-auditer.js

@@ -0,0 +1 @@
+yarnPath: ".yarn/releases/yarn-berry.cjs"

test/yarn-berry-skip-dev/.yarn/install-state.gz

@@ -0,0 +1,13 @@
+# Yarn Berry tests
+
+When creating Yarn Berry tests, there are several files and folders that may generate that are not necessary for auditing using `yarn npm audit --all --recursive --json`.
+
+- .pnp.js
+
+- .yarn/cache
+
+Consider manually deleting them before committing.
+
+Also, the `.yarn/releases/yarn-berry.cjs` file in each project re-exports the `yarn-berry.cjs` file at the root of tests.
+Re-exporting the file reduces duplication and version mismatching for tests.
+Currently, this project is set up to use the latest version v2.4.0 (at the time of writing this, Dec 6th, 2020).

test/yarn-berry-skip-dev/.yarn/releases/yarn-berry.cjs

@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-yarn-berry-skip-dev",
+  "description": "Test package.json with critical devDependency",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-berry-skip-dev/.yarnrc.yml

@@ -0,0 +1,29 @@
+# This file is generated by running "yarn install" inside your project.
+# Manual changes might be lost - proceed with caution!
+
+__metadata:
+  version: 4
+  cacheKey: 7
+
+"audit-ci-yarn-berry-skip-dev@workspace:.":
+  version: 0.0.0-use.local
+  resolution: "audit-ci-yarn-berry-skip-dev@workspace:."
+  dependencies:
+    node-noop: 1.0.0
+    open: 0.0.5
+  languageName: unknown
+  linkType: soft
+
+"node-noop@npm:1.0.0":
+  version: 1.0.0
+  resolution: "node-noop@npm:1.0.0"
+  checksum: 33331046468af72c22553cee2b754851897fa26c36393017ad3dcfbcd28b705e573a71ae7abe18a8f357fa6fd9a3b3ab3aefb52f373b368ec4a5be40b530e269
+  languageName: node
+  linkType: hard
+
+"open@npm:0.0.5":
+  version: 0.0.5
+  resolution: "open@npm:0.0.5"
+  checksum: 5c974432a245cad8ecf3c10529fc1bce29118ee73cb71dd89bbe1dc89b453b944edd4a5e42aa56915a27d5419c7b29bfb4782f1fc336a863452d8051ec3e00af
+  languageName: node
+  linkType: hard

test/yarn-berry-skip-dev/README.md

@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-yarn-skip-dev",
+  "description": "Test package.json with critical devDependency",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}

test/yarn-berry-skip-dev/package.json

@@ -0,0 +1,13 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+[email protected]:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/node-noop/-/node-noop-1.0.0.tgz#47a3e7d80cffaa6458364bd22ed85cab3307be79"
+  integrity sha1-R6Pn2Az/qmRYNkvSLthcqzMHvnk=
+
+[email protected]:
+  version "0.0.5"
+  resolved "https://registry.yarnpkg.com/open/-/open-0.0.5.tgz#42c3e18ec95466b6bf0dc42f3a2945c3f0cad8fc"
+  integrity sha1-QsPhjslUZra/DcQvOilFw/DK2Pw=