search

InfoSec812 / npm-audit-ci-wrapper

A wrapper for 'npm audit' which can be configurable for use in a CI/CD tool like Jenkins
Apache License 2.0
13 stars 11 forks source link

npm version 6 moved the "dev" attribute to the list of actions #72

Closed willowmck closed 4 years ago

willowmck commented 4 years ago

This test will no longer work since the "dev" attribute is not available in the list of advisories.

return (!(advisory[1].findings[0].dev && ignoreDev));

We will now need to track the offending package back to the list of actions to determine whether it is a dev dependency. For example, here is an action from npm audit with npm version 6.14.

{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 123,
          "path": "@stoplight/prism-cli>@stoplight/prism-http>@stoplight/http-spec>json-schema-generator>mkdirp>minimist",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ]
    }
  ]
}
InfoSec812 commented 4 years ago

@willowmck Looks like the npm-audit module updated their Major version and made breaking changes in preparation for NPM v7: https://github.com/npm/npm-audit-report/tree/v2.0.0#break-from-version-1

Someone in the npm upstream didn't read that very carefully and included it in 6.x.

willowmck commented 4 years ago

oof

willowmck commented 4 years ago

Another question on this - could we not just run npm audit with the appropriate options in this case?

npm audit --only=prod

InfoSec812 commented 4 years ago

Testing was incomplete/flawed