Closed jamesots closed 2 years ago
I need to rewrite the details option entirely for npm7 support anyway, so there's more to change there. If you could elaborate more on what you want to do and why, I didn't really get if you mean you need three id for automation or just see it and do something with it.
It's just so that developers can copy the ID into a wiki page where we are logging the decisions. It's useful then being able to match it up with the number in audit-resolve.json if we are checking to see why we've ignored something.
Decisions are logged in the Jason file and while the feature is not developed yet, the format allows a "reason" field
We have multiple projects, so being able to have a central log means people can quickly see how another team has managed a particular advisory. I guess I can always ask them to read the json file after running resolve-audit to find the ids — it's just not as easy as having it displayed while making the decisions.
It's also confusing some people, who were wondering why there's one URL displayed when running npm audit
, and two different URLs when running resolve-audit. I can explain it to them, but having the id/url displayed would be more helpful.
Sure. I can do that. Please show an example of what you'd like to see
I'm not too bothered how it's displayed, but I'd probably add it in before the other URLs like this:
What would you like to do? d
trim versions installed: 0.0.1
Versions of `trim` lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
Upgrade to version 0.0.3 or later
- [NPM](https://npmjs.com/advisories/1700)
- [CVE](https://nvd.nist.gov/vuln/detail/CVE-2020-7753)
- [GitHub Advisory](https://github.com/advisories/GHSA-w5p7-h5w8-2hfq)
_
d) show more details and ask me again
r) remind me in 24h
i) ignore paths
del) Remove all listed dependency paths
s) Skip this
q) Quit
What would you like to do?
Ok 😅 now I get it. These urls were not here in the output when I first wrote npm-audit-resolver.
I had to change what's being displayed when I introduced npm7 support. Check it out and let's talk.
npm i npm-audit-resolver@next
There's no longer a details option, because most details are gone from the npm7 output, but I mage the advisory URL much more prominent.
I like the new output, that'll be perfect for our needs. Thank you.
The only thing I'd change is the colouring of the package name, which is almost unreadable on my screen.
Oh. That contrast sucks. Thanks for the screenshot.
Keep testing 😅
Closing this as it's fixed in the upcoming major release and when I close it's easier to remember it's done :)
When you press 'd' for 'show more details and ask me again', it would be helpful if the NPM advisory URL was included (e.g. https://npmjs.com/advisories/1700), as I'd like to be able to use the advisory ID for internally logging audit resolutions.
I think it could just be a case of adding
${advistory.url}
to the ouput ofprintDetailsOfAdvisory
indecisions.js
?