Open IgnorantSapient opened 3 years ago
Hiho :wave:
In my opinion, passing additional parameters to npm audit
is never a problem. Concerning the return code change, I think this would be a breaking change. Given you use lerna-audit
in a CI/CD pipeline: A non zero return code would cancel the pipeline. Why would you like to change the return code? What's your use case?
Nevertheless, it might make sense to rethink the return codes when we put out a new major version.
I have the same requirement. Given that lerna-audit
is a wrapper around npm audit
, I'd expect it to match exit codes. In my case, I want the CI pipeline to fail if there are vulnerabilities - it's too easy to ignore automated checks that don't fail the build.
As there are not too much requirements atm, I think putting out a major version would be okay. The only limiting factor is time, as always. :hourglass: :smile:
I also have the same requirement. We use npm audit in gating tests part of the CI pipeline to check for vulnerabilities. The CI pipeline needs to be blocked if vulnerabilities show up. We don't want to deploy apps with vulnerabilities.
Let's say I run
lerna-audit
from the root of my directory with the--no-fix
option, and vulnerabilities are found, runningecho $?
to check the execution status does not return a non zero status code.For instance
npm audit --audit-level=high
returns a status code of 1 if high | critical vulnerabilities are found.Would you be open to adding the right status code outputs to this CLI tool along with the
--audit-level
flag? This would come in handy when using with a build / CI system, I am happy to send a PR, please let me know.....