[FEATURE] Add audit resolve/fix management

[mikemimik]

What / Why

Would be great to have an interactive update command for npm audit fix

Where

• npm audit fix

How

Current Behavior

• Not interactive

Expected Behavior

• Cool interactive menu

References

• interactive pick-updates command #168

[ruyadorno]

(just documenting some of the discussions from chats and video conferences)

We should def decouple the interactivity from the audit fix management, it'd be nice to create some sort of local db layer resolve file (so that it can be checked into version control systems) that keeps track of audits and expose a set of sub commands to list, set, unset audit warnings - let's not add interactivity to the mix just yet 😊

Ideas:

$ npm audit list
1325 [high]     handlebars: Prototype Pollution
1324 [high]     handlebars: Arbitrary Code Execution
788  [moderate] js-yaml: Denial of Service

$ npm audit get 788
Status: Pending
Level: Moderate
Type: Denial of Service
Package name: js-yaml
Dependency of: tap [dev]
Path: tap > tap-parser > js-yaml
More info: https://npmjs.com/advisories/788

$ npm audit set 788 --status=Read

$ npm audit list
1325 [high]     handlebars: Prototype Pollution
1324 [high]     handlebars: Arbitrary Code Execution

$ npm audit get 788
Status: Read
Level: Moderate
Type: Denial of Service
Package name: js-yaml
Dependency of: tap [dev]
Path: tap > tap-parser > js-yaml
More info: https://npmjs.com/advisories/788

As you can see from the example above, npm audit list would only list audit items that has a status of Pending, setting a status to something else would exclude that item from the audit results.

The legacy npm audit can stay mostly the same but can also use the status in order to omit reports, etc.

[ruyadorno]

Open RFC: npm/rfcs#18

[ruyadorno]

Existing userland solution: https://www.npmjs.com/package/npm-audit-resolver

[ruyadorno]

Having this in place it would be trivial to have userland modules that uses https://github.com/ruyadorno/ipt to take the npm audit list output, build an interactive interface and set the read/fix/ignore status upon selecting an item.

[naugtur]

Hi, npm-audit-resolver author here.

I've refactored the resolver and extracted a core package. There might be some work left to perfect the API it exposes, but the core package is designated to be used in npm audit to support ignoring and other features.

The interactive command would remain userland as-is. That was made very clear in the RFC and other communication - npm cli doesn't want to be interactive.

What do you think?

[ruyadorno]

closing this in favor of continuing the conversation over at npm/rfcs#18