feat: optional skip-dev npm support

WhatIfWeDigDeeper · WhatIfWeDigDeeper · commit a43b379ec2d1 · 2021-06-12T12:20:28.000-05:00
diff --git a/README.md b/README.md
@@ -129,6 +129,7 @@ A config file can manage auditing preferences `audit-ci`. The config file's keys
   "show-not-found": <boolean>, // [Optional] defaults `true`
   "registry": <string>, // [Optional] defaults `undefined`
   "retry-count": <number>, // [Optional] defaults 5
+  "skip-dev": <boolean>, // [Optional] defaults `false`
   "advisories": <number[]>, // [Deprecated, optional] defaults `[]`
   "path-whitelist": <string[]>, // [Deprecated, optional] defaults `[]`
   "whitelist": <string[]> // [Deprecated, optional] defaults `[]`
diff --git a/lib/audit-ci.js b/lib/audit-ci.js
@@ -100,6 +100,11 @@ const { argv } = yargs
         "Pass if no audit is performed due to the registry returning ENOAUDIT",
       type: "boolean",
     },
+    "skip-dev": {
+      default: false,
+      describe: "Skip devDependencies",
+      type: "boolean",
+    },
     advisories: {
       default: [],
       describe:
diff --git a/lib/npm-auditer.js b/lib/npm-auditer.js
@@ -20,6 +20,9 @@ async function runNpmAudit(config) {
   if (registry) {
     args.push("--registry", registry);
   }
+  if (config["skip-dev"]) {
+    args.push("--production");
+  }
   const options = { cwd: directory };
   await runProgram(npmExec, args, options, outListener, errListener);
   if (stderrBuffer.length) {
@@ -85,6 +88,7 @@ function report(parsedOutput, config, reporter) {
  * `registry`: the registry to resolve packages by name and version.
  * `show-not-found`: show allowlisted advisories that are not found.
  * `levels`: the vulnerability levels to fail on, if `moderate` is set `true`, `high` and `critical` should be as well.
+ * `skip-dev`: skip devDependencies, defaults to false
  * `_npm`: a path to npm, uses npm from PATH if not specified.
  * @returns {Promise<any>} Returns the audit report summary on resolve, `Error` on rejection.
  */
diff --git a/test/npm-auditer.js b/test/npm-auditer.js
@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm-output.json");
 const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm-output.json");
 const reportNpmLow = require("./npm-low/npm-output.json");
 const reportNpmNone = require("./npm-none/npm-output.json");
+const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
 
 // To modify what slow times are, need to use
 // function() {} instead of () => {}
@@ -265,6 +266,18 @@ describe("npm-auditer", function testNpmAuditer() {
       done();
     });
   });
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
+    const summary = report(
+      reportNpmSkipDev,
+      config({
+        directory: testDir("npm-skip-dev"),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
   // it("fails errors with code ENOAUDIT on a valid site with no audit", (done) => {
   //   audit(
   //     config({
diff --git a/test/npm-skip-dev/npm-output.json b/test/npm-skip-dev/npm-output.json
@@ -0,0 +1,19 @@
+{
+  "actions": [],
+  "advisories": {},
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 1,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 1
+  },
+  "runId": "cf8267d6-1ce5-44eb-9320-003467502021"
+}
diff --git a/test/npm-skip-dev/npm7-output.json b/test/npm-skip-dev/npm7-output.json
@@ -0,0 +1,22 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {},
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 0,
+      "high": 0,
+      "critical": 0,
+      "total": 0
+    },
+    "dependencies": {
+      "prod": 2,
+      "dev": 1,
+      "optional": 0,
+      "peer": 0,
+      "peerOptional": 0,
+      "total": 2
+    }
+  }
+}
diff --git a/test/npm-skip-dev/package-lock.json b/test/npm-skip-dev/package-lock.json
diff --git a/test/npm-skip-dev/package.json b/test/npm-skip-dev/package.json
@@ -0,0 +1,10 @@
+{
+  "name": "audit-ci-npm-skip-dev",
+  "description": "Test package.json with critical vulnerability in devDependencies",
+  "dependencies": {
+    "node-noop": "1.0.0"
+  },
+  "devDependencies": {
+    "open": "0.0.5"
+  }
+}
diff --git a/test/npm7-auditer.js b/test/npm7-auditer.js
@@ -9,6 +9,7 @@ const reportNpmModerateSeverity = require("./npm-moderate/npm7-output.json");
 const reportNpmAllowlistedPath = require("./npm-allowlisted-path/npm7-output.json");
 const reportNpmLow = require("./npm-low/npm7-output.json");
 const reportNpmNone = require("./npm-none/npm7-output.json");
+const reportNpmSkipDev = require("./npm-skip-dev/npm-output.json");
 
 describe("npm7-auditer", function testNpm7Auditer() {
   it("prints full report with critical severity", () => {
@@ -263,4 +264,16 @@ describe("npm7-auditer", function testNpm7Auditer() {
       done();
     });
   });
+  it("reports summary with no vulnerabilities when critical devDependency and skip-dev is true", () => {
+    const summary = report(
+      reportNpmSkipDev,
+      config({
+        directory: testDir("npm-skip-dev"),
+        "skip-dev": true,
+        "report-type": "important",
+      }),
+      (_summary) => _summary
+    );
+    expect(summary).to.eql(summaryWithDefault());
+  });
 });
