This pull request adds a command to halt the npm audit CI job (but proceed with the overall workflow) when package-log.json has not been changed on the branch being checked.
The result is that, for our branch checks, job will get the green checkmark unless (a) package-json.json has been updated on that branch, and (b) there is a vulnerability detected by npm audit.
To see how this works, check out these two job results:
In job 1, our command halts the rest of the job and returns green.
Note that this does not prevent all potential "unrelated" failures on CI because of npm audit. There is still the case that package-lock.json might be updated to install package-a while package-b causes an audit failure.
However, I do think this is a fairly simple way (it's a one-liner in git and grep) to prevent almost all of the hard failures we see related to npm audit, while still retaining protection for when packages are introduced or upgraded.
Refs https://github.com/freedomofpress/fpf-www-projects/issues/190
This pull request adds a command to halt the npm audit CI job (but proceed with the overall workflow) when package-log.json has not been changed on the branch being checked.
The result is that, for our branch checks, job will get the green checkmark unless (a) package-json.json has been updated on that branch, and (b) there is a vulnerability detected by npm audit.
To see how this works, check out these two job results:
In which no npm packages were updated
In which underscore.js was changed to an insecure version
In job 1, our command halts the rest of the job and returns green.
Note that this does not prevent all potential "unrelated" failures on CI because of npm audit. There is still the case that package-lock.json might be updated to install
package-awhilepackage-bcauses an audit failure.However, I do think this is a fairly simple way (it's a one-liner in git and grep) to prevent almost all of the hard failures we see related to npm audit, while still retaining protection for when packages are introduced or upgraded.