From 8d95c95152fddc24a58b5ba388660ca96dd148a4 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik@sundellopensource.se>
Date: Fri, 29 May 2020 14:57:01 +0200
Subject: [PATCH] CI: npm-audit cronjob in travis

---
 .travis.yml | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index d4fe2127..2d293654 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -2,6 +2,13 @@ language: node_js
 branches:
   except:
     - /^greenkeeper.*/
+
+stages:
+  - name: test
+    if: type IN (push, pull_request, api)
+  - name: cron
+    if: type IN (cron, api)
+
 # Test against Long Term Support (LTS) releases in a "current", "active", and
 # "maintenance" status: https://nodejs.org/en/about/releases/
 node_js:
@@ -9,10 +16,23 @@ node_js:
   - 12
   - 10
 install:
-  - npm install -g codecov
-  - npm install
+  - npm ci  # install from package-lock.json
 script:
   - npm run lint
   - travis_retry npm test
 after_success:
+  - npm install -g codecov
   - npm run codecov
+
+include:
+  jobs:
+    - name: deps:npm-audit
+      stage: cron
+      install:
+        - npm ci --production
+      script:
+        - npm audit
+      after_success:
+        - echo "package-lock.json is considered secure according to 'npm audit'."
+      after_failure:
+        - echo "package-lock.json should be updated with 'npm audit fix'."