search

IBM / audit-ci

Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Apache License 2.0
265 stars 43 forks source link

Support Yarn's `--exclude` #298

Closed sargunv closed 1 year ago

sargunv commented 1 year ago

Certain dependencies will cause NPM's quick audit endpoint to return a 400 Bad Request error, which bubbles up to yarn npm audit failing with that error and audit-ci failing with an "Invalid JSON" error.

Normally, we can work around this with yarn npm audit --exclude <pkg>, but currently there's no way to pass such excludes to Yarn when running it with audit-ci.

Would an "exclude" feature in audit-ci be acceptable? If so, I can start working on a PR.

CleanShot 2023-01-04 at 13 51 14@2x CleanShot 2023-01-04 at 13 54 37@2x
quinnturner commented 1 year ago

I was not aware of this. Absolutely, I would support passing this argument.

One point of debate is whether we should just go ahead and have some approach of passing in extra arguments directly to auditors vs. making an --exclude flag.

Making a Yarn-exclusive flag would be a first. Perhaps we can have an --extra-arguments flag which would append whatever is provided to the underlying auditor directly.

sargunv commented 1 year ago

One point of debate is whether we should just go ahead and have some approach of passing in extra arguments directly to auditors vs. making an --exclude flag.

This sounds like a good idea to me. Happy to start a PR this week