AndrewLeedham
commented
4 years ago Hi @northvik thanks for reaching out. My concern with this feature is this: say a dependency has a critical vulnerability but no patch, this option would suppress said vulnerability and the build might end up in production. Whereas with the current flow, it would stop the deployment and you would have to manually allow the package through, meaning you can review if the issue actually affects your code.
If you feel this is still a feature you need, I think I would rather have the allow option take a function that is passed the data for each table and then you can return a boolean which determines if the package is 'allowed' or not. Then you can implement this feature and any other type of checking as you see fit :)
github-actions[bot]
I think this package could have an option that would ignore vulnerabilities that don't have a patch. example:
In that example, you can see that this vulnerability have no fix at that point in time
Patched in: No patch available, which mean that the audit test would fail. The solution, in that case, would be to addlodashtot the list of allowed packages, but if in a few days there is a patch that is published, then it wouldn't be caught by the audit test next time it's run.What I propose is an option like
patchedOnly: truethat would ignore the vulnerabilities that are not patched, and put them in a separate list. This would result in a passing test, and it could also print out that non-patched vulnerability list so that the user is aware of it.thank you very much for that amazing package.