search

IBM / audit-ci

Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Apache License 2.0
264 stars 42 forks source link

Add `--extra-args` to fix #298 #300

Closed sargunv closed 1 year ago

sargunv commented 1 year ago

As discussed in #298, this PR adds a --extra-args flag to pass additional arguments to the underlying audit command.

Since these additional args are likely to include flags (--foo), I added an escaping mechanism, so any "extra arg" starting with a \ will have that first \ removed.

Usage example:

npx audit-ci@^6 --extra-args '\--exclude' '@sargunv/testlib-c'
quinnturner commented 1 year ago

I also had trouble updating Yarn Berry to 3.3.1 in #294. Unless necessary, let's keep 3.3.0 and push the investigation for why 3.3.1 isn't working.

quinnturner commented 1 year ago

Can you add a test to cover the --exclude flag using the new --extra-args flag? We currently don't have integration tests for CLI usage, so using the normal unit tests with the config helpers is sufficient coverage. I will verify it works using the CLI locally for this PR once the test it written :)

sargunv commented 1 year ago

Can you add a test to cover the --exclude flag using the new --extra-args flag? We currently don't have integration tests for CLI usage, so using the normal unit tests with the config helpers is sufficient coverage. I will verify it works using the CLI locally for this PR once the test it written :)

Currently the test Yarn Berry version is v2.4, so --exclude isn't available, but I wrote a test with --environment instead (basically the same test as skip-dev but using extra-args instead).

I was thinking I'd file a separate PR to include Yarn v3 in addition to v2 in tests (maybe v4 rc builds too?) and run against them all. Unsure if that's worth it though, thoughts?

quinnturner commented 1 year ago

Currently the test Yarn Berry version is v2.4, so --exclude isn't available, but I wrote a test with --environment instead (basically the same test as skip-dev but using extra-args instead).

👍🏻

I was thinking I'd file a separate PR to include Yarn v3 in addition to v2 in tests (maybe v4 rc builds too?) and run against them all. Unsure if that's worth it though, thoughts?

It was on my radar to do this as well. IMO, it is worth it, since the point of this package is to cover all package managers. However, I understand if you have a lot on your plate right now to tackle it. In either case, consider filing an issue so that we can track that work 😄

sargunv commented 1 year ago

It was on my radar to do this as well. IMO, it is worth it, since the point of this package is to cover all package managers. However, I understand if you have a lot on your plate right now to tackle it. In either case, consider filing an issue so that we can track that work 😄

Cool, filed https://github.com/IBM/audit-ci/issues/302. I might work on it at some point, but not in the very near future.

quinnturner commented 1 year ago

Released in v6.6.0