Skip to content

[plugin-npm-cli]: Add ability to exclude packages, or ignore specific advisories in yarn npm audit #4356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arcanis merged 10 commits into from
May 22, 2022
Merged

[plugin-npm-cli]: Add ability to exclude packages, or ignore specific advisories in yarn npm audit #4356

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
f344adf
[plugin-npm-cli]: Add ability to exclude packages from `yarn npm audit`
hughdavenport Apr 13, 2022
912f19d
[plugin-npm-cli] Add ability to ignore advisories in `yarn npm audit`
hughdavenport Apr 14, 2022
4810555
Version bump
hughdavenport Apr 13, 2022
f999705
chore: Fix types
hughdavenport Apr 14, 2022
0da0e35
[plugin-npm-cli] Add configuration options for --exclude and --ignore
hughdavenport Apr 26, 2022
e5075ce
Update audit.ts
arcanis Apr 26, 2022
a47e9b3
Update audit.ts
arcanis Apr 26, 2022
4b158e2
[plugin-npm-cli] Update docs
hughdavenport Apr 26, 2022
c237863
[plugin-npm-cli] Add support for glob patterns in --exclude and --ignore
hughdavenport Apr 27, 2022
58f306e
[plugin-npm-cli] Add some unit tests and stubs for integration tests
hughdavenport May 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
[plugin-npm-cli]: Add ability to exclude packages from yarn npm audit 
This patch adds a `--exclude` flag to the `yarn npm audit` command in the
`nmp-cli` plugin. This flag can be passed multiple times, and any package
listed will be removed from the list of packages audited.
  • Loading branch information
@hughdavenport
hughdavenport committed May 10, 2022
commit f344adf34518240a83740d4bf9da23f77cb84f4d
19 changes: 19 additions & 0 deletions packages/plugin-npm-cli/sources/commands/npm/audit.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ export default class AuditCommand extends BaseCommand {

If the \`--json\` flag is set, Yarn will print the output exactly as received from the registry. Regardless of this flag, the process will exit with a non-zero exit code if a report is found for the selected packages.

If certain packages produce false positives for a particular environment, the \`--exclude\` flag can be used to exclude any number of packages from the audit.

To understand the dependency tree requiring vulnerable packages, check the raw report with the \`--json\` flag or use \`yarn why <package>\` to get more information as to who depends on them.
`,
examples: [[
Expand All @@ -44,6 +46,9 @@ export default class AuditCommand extends BaseCommand {
], [
`Output moderate (or more severe) vulnerabilities`,
`yarn npm audit --severity moderate`,
], [
`Exclude certain packages`,
`yarn npm audit --exclude package1 --exclude package2`,
]],
});

Expand All @@ -69,6 +74,10 @@ export default class AuditCommand extends BaseCommand {
validator: t.isEnum(npmAuditTypes.Severity),
});

excludes = Option.Array(`--exclude`, [], {
description: `Packages to exclude from audit`,
});

async execute() {
const configuration = await Configuration.find(this.context.cwd, this.context.plugins);
const {project, workspace} = await Project.find(configuration, this.context.cwd);
Expand All @@ -91,6 +100,16 @@ export default class AuditCommand extends BaseCommand {
}
}

if (this.excludes) {
for (const pkg of this.excludes) {
delete requires[pkg];
delete dependencies[pkg];
for (const key of Object.keys(dependencies)) {
delete dependencies[key].requires[pkg];
}
}
}

const body = {
requires,
dependencies,
Expand Down