[plugin-npm-cli] Add support for glob patterns in --exclude and --ignore

packages/gatsby/static/configuration/yarnrc.json

@@ -452,7 +452,7 @@
     },
     "npmAuditExcludePackages": {
       "_package": "@yarnpkg/plugin-npm-cli",
-      "description": "List of packages to exclude from `yarn npm audit`. Doesn't need to be defined, in which case no packages will be excluded. Can also be augmented by the `--exclude` flag.",
+      "description": "Array of glob patterns of packages to exclude from `yarn npm audit`. Doesn't need to be defined, in which case no packages will be excluded. Can also be augmented by the `--exclude` flag.",
       "type": "array",
       "items": {
         "type": "string"
@@ -462,7 +462,7 @@
     },
     "npmAuditIgnoreAdvisories": {
       "_package": "@yarnpkg/plugin-npm-cli",
-      "description": "List of advisory ID's to ignore from `yarn npm audit` results. Doesn't need to be defined, in which case no advisories will be ignored. Can also be augmented by the `--ignore` flag.",
+      "description": "Array of glob patterns of advisory ID's to ignore from `yarn npm audit` results. Doesn't need to be defined, in which case no advisories will be ignored. Can also be augmented by the `--ignore` flag.",
       "type": "array",
       "items": {
         "type": "string"

packages/plugin-npm-cli/package.json

@@ -7,6 +7,7 @@
     "@yarnpkg/fslib": "workspace:^",
     "clipanion": "^3.2.0-rc.10",
     "enquirer": "^2.3.6",
+    "micromatch": "^4.0.2",
     "semver": "^7.1.2",
     "tslib": "^1.13.0",
     "typanion": "^3.3.0"
@@ -19,6 +20,7 @@
   },
   "devDependencies": {
     "@npm/types": "^1.0.1",
+    "@types/micromatch": "^4.0.1",
     "@types/semver": "^7.1.0",
     "@yarnpkg/cli": "workspace:^",
     "@yarnpkg/core": "workspace:^",

packages/plugin-npm-cli/sources/commands/npm/audit.ts

@@ -2,6 +2,7 @@ import {BaseCommand, WorkspaceRequiredError}
 import {Configuration, Project, MessageName, treeUtils, LightReport, StreamReport} from '@yarnpkg/core';
 import {npmConfigUtils, npmHttpUtils}                                              from '@yarnpkg/plugin-npm';
 import {Command, Option, Usage}                                                    from 'clipanion';
+import micromatch                                                                  from 'micromatch';
 import * as t                                                                      from 'typanion';
 
 import * as npmAuditTypes                                                          from '../../npmAuditTypes';
@@ -80,11 +81,11 @@ export default class AuditCommand extends BaseCommand {
   });
 
   excludes = Option.Array(`--exclude`, [], {
-    description: `Packages to exclude from audit`,
+    description: `Array of glob patterns of packages to exclude from audit`,
   });
 
   ignores = Option.Array(`--ignore`, [], {
-    description: `Advisories to ignore in the audit report`,
+    description: `Array of glob patterns of advisory ID's to ignore in the audit report`,
   });
 
   async execute() {
@@ -109,17 +110,30 @@ export default class AuditCommand extends BaseCommand {
       }
     }
 
-    const excludedPackages = [
+    const excludedPackages = Array.from(new Set([
       ...configuration.get(`npmAuditExcludePackages`),
       ...this.excludes,
-    ];
+    ]));
 
-    for (const pkg of excludedPackages) {
-      delete requires[pkg];
-      delete dependencies[pkg];
+    if (excludedPackages) {
+      for (const pkg of Object.keys(requires)) {
+        if (micromatch.isMatch(pkg, excludedPackages)) {
+          delete requires[pkg];
+        }
+      }
+
+      for (const pkg of Object.keys(dependencies)) {
+        if (micromatch.isMatch(pkg, excludedPackages)) {
+          delete dependencies[pkg];
+        }
+      }
 
       for (const key of Object.keys(dependencies)) {
-        delete dependencies[key].requires[pkg];
+        for (const pkg of Object.keys(dependencies[key].requires)) {
+          if (micromatch.isMatch(pkg, excludedPackages)) {
+            delete dependencies[key].requires[pkg];
+          }
+        }
       }
     }
 
@@ -148,17 +162,18 @@ export default class AuditCommand extends BaseCommand {
     if (httpReport.hasErrors())
       return httpReport.exitCode();
 
-    const ignoredAdvisories = new Set([
+    const ignoredAdvisories = Array.from(new Set([
       ...configuration.get(`npmAuditIgnoreAdvisories`),
       ...this.ignores,
-    ]);
-
-    for (const key of ignoredAdvisories) {
-      const entry = result.advisories[key];
-      delete result.advisories[key];
-
-      if (typeof entry !== `undefined`) {
-        result.metadata.vulnerabilities[entry.severity] -= 1;
+    ]));
+
+    if (ignoredAdvisories) {
+      for (const advisory of Object.keys(result.advisories)) {
+        if (micromatch.isMatch(advisory, ignoredAdvisories)) {
+          const entry = result.advisories[advisory];
+          result.metadata.vulnerabilities[entry.severity] -= 1;
+          delete result.advisories[advisory];
+        }
       }
     }
 

packages/plugin-npm-cli/sources/index.ts

@@ -26,13 +26,13 @@ const plugin: Plugin = {
       default: null,
     },
     npmAuditExcludePackages: {
-      description: `List of packages to exclude from npm audit`,
+      description: `Array of glob patterns of packages to exclude from npm audit`,
       type: SettingsType.STRING,
       default: [],
       isArray: true,
     },
     npmAuditIgnoreAdvisories: {
-      description: `List of advisory IDs to exclude from npm audit`,
+      description: `Array of glob patterns of advisory IDs to exclude from npm audit`,
       type: SettingsType.STRING,
       default: [],
       isArray: true,

yarn.lock

@@ -6030,6 +6030,7 @@ __metadata:
   resolution: "@yarnpkg/plugin-npm-cli@workspace:packages/plugin-npm-cli"
   dependencies:
     "@npm/types": "npm:^1.0.1"
+    "@types/micromatch": "npm:^4.0.1"
     "@types/semver": "npm:^7.1.0"
     "@yarnpkg/cli": "workspace:^"
     "@yarnpkg/core": "workspace:^"
@@ -6038,6 +6039,7 @@ __metadata:
     "@yarnpkg/plugin-pack": "workspace:^"
     clipanion: "npm:^3.2.0-rc.10"
     enquirer: "npm:^2.3.6"
+    micromatch: "npm:^4.0.2"
     semver: "npm:^7.1.2"
     tslib: "npm:^1.13.0"
     typanion: "npm:^3.3.0"