Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

audit: allow the audit failure level to be configured #20992

Closed
wants to merge 3 commits into from

Conversation

lennym
Copy link
Contributor

@lennym lennym commented Jun 14, 2018

npm audit currently exits with exit code 1 if any vulnerabilities are found of any level.

Add a flag of --audit-level to npm audit to allow it to pass if only vulnerabilities below a certain level are found.

Example: npm audit --audit-level=high will exit with 0 if only low or moderate level vulns are detected.

@lennym lennym requested a review from a team as a code owner June 14, 2018 15:06
@lennym lennym force-pushed the feature/configurable-audit-level branch from f7a4d86 to da476b3 Compare June 14, 2018 15:07
@lennym
Copy link
Contributor Author

lennym commented Jun 14, 2018

Use case: we'd like to include npm audit in our CI pipelines because it's a brilliant feature, but also we don't want to worry about low level vulnerabilities because if we did then we'd never actually ship anything.

We can work around it by parsing the json and working it out for ourselves, but this PR was easier than doing that.

@legodude17
Copy link
Contributor

@lennym You also need to document this, add it to the types object in lib/config/defaults.js, and add some tests.

`npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level.

Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found.

Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected.
@lennym lennym force-pushed the feature/configurable-audit-level branch from da476b3 to c5e48d0 Compare June 14, 2018 15:58
@lennym
Copy link
Contributor Author

lennym commented Jun 14, 2018

I've updated to include the types.

Before I go too deep into writing tests and docs it's be good to get some steer as to whether this is a feature that might get merged in principle as is (docs and tests pending).

I'm not super keen to go and spent a few hours coding on this if it's not going to get merged or it's just going to end up going own a rabbit hole of expanding features. Obviously very happy to do so if it results in getting the feature in a future version though.

@legodude17
Copy link
Contributor

legodude17 commented Jun 14, 2018

In that case, I would suggest you drop something in https://npm.community/c/ideas about this.

@lennym
Copy link
Contributor Author

lennym commented Jun 14, 2018

One step ahead... https://npm.community/t/allow-a-configurable-vuln-level-to-make-npm-audit-fail/245

I did try to post a reply pointing to this PR, but I've been put in time out there for some reason (I assume because I was freshly signed up and posted too many links - no complaint from me in that regard)

@naugtur
Copy link

naugtur commented Jun 16, 2018

Shameless advertising:
Have you seen https://www.npmjs.com/package/npm-audit-resolver ?
It's meant for enabling audits use in CI

@lennym
Copy link
Contributor Author

lennym commented Jun 29, 2018

Apologies for the radio silence on this. I've added some docs and tests in the hope that this might make it into a future release.

I couldn't find any obvious tests for the basic audit command - only audit fix so I created a new test file and attempted to reverse engineer the audit fix tests as best I could, so it might be worth someone who really understands how both the test runner and the audit command work better than I do taking a look over my attempts.

Cheers.

@zkat
Copy link
Contributor

zkat commented Jul 10, 2018

Hi! We're moving repos to https://github.com/npm/cli/pulls! See our blog post about the migration to npm.community for details. As such, we're closing all active PRs on this repo.

Could you please re-open this PR against npm/cli instead? We're still interested in this patch so we hope you will! We'll continue discussion over there once it's moved. 💚

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants