Consider publishing a release with the argument passthrough changes

naugtur / npm-audit-resolver

Apache License 2.0

121 stars 28 forks source link

Consider publishing a release with the argument passthrough changes #21

Closed pdusen closed 4 years ago

pdusen commented 4 years ago

I noticed that no new release has thus far been published since #18 was resolved. I'm not sure if that was intentional or not, but I'd like to request that you consider publishing a new release.

We use this tool in my office for a stage of CI build validation, and being able to filter audits to production dependencies only would greatly reduce the amount of audit-related fixes we need to do.

naugtur commented 4 years ago

Sorry I didn't release. I had to tend to my family urgently right after merging... Will release as soon as I'm at my computer again.

I should set up automated publishing I guess...

naugtur commented 4 years ago

My team at work is using it on 40 repositories. But this week we're planning the next big project and I didn't touch the keyboard at work either.

pdusen commented 4 years ago

No worries, I just wanted to make sure a release in the near future was in the cards.

naugtur commented 4 years ago

Before publishing I need to:

[x] document the passthrough
[x] check if it affects direct arguments (--json to check-audit, --yarn and --migrate to resolve-audit)
[x] (optionally) add an end2end test of argument passing

Not releasing right now - it's 00:47 and I don't trust myself to do the testing right.

pdusen commented 4 years ago

Cheers.

If you do end up finding that it affects direct arguments, you can probably resolve it by adding the argument names to the list of filtered keys. I already did this for --json, but you could easily add the others.

naugtur commented 4 years ago

I saw that.

I got tests to pass, now completing the list of arguments to skip

naugtur commented 4 years ago

Got it. @pdusen Would you mind trying out current master?

pdusen commented 4 years ago

What would you like me to try? Updating a project with a known devdependency audit failure and seeing if it passes the audit?

naugtur commented 4 years ago

Check the functionality you needed is still there :)

pdusen commented 4 years ago

Looks good to me. Compare the two runs below:

$ npm run audit:check

> dynamic-app-api@1.0.0 audit:check C:\Repositories\dynapi
> check-audit

>>>> npm audit --json
>>>> exit: 1
Total of 1 actions to process
--------------------------------------------------
[moderate] Cross-Site Scripting
 -  devDependencies: uglifyjs-webpack-plugin>serialize-javascript
--------------------------------------------------
 😱   Unresolved issues found!
--------------------------------------------------

$ npm run audit:check

> dynamic-app-api@1.0.0 audit:check C:\Repositories\dynapi
> check-audit --production

>>>> npm audit --json --production
>>>> exit: 0
Total of 0 actions to process
audit ok.

naugtur commented 4 years ago

Ok, let's do this.

naugtur commented 4 years ago

published v2.2.0

pdusen commented 4 years ago

Thanks for your hard work!

joebowbeer commented 4 years ago

See https://github.com/naugtur/npm-audit-resolver/issues/19#issuecomment-577932135 concerning missing ignoreLow and unexpected behavior passing --audit-level option.